If you open your browser’s developer console on Facebook, you will see the following warning message:
Stop! This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or “hack” someone’s account, it is a scam and will give them access to your Facebook account.
Below is a screenshot of the message:
The message also displays a link, which leads to an informational page about the dangers of XSS (cross-site scripting).
In the past, a number of Facebook users have copied and pasted JavaScript code into the browser console without fully understanding what it does.
Facebook is calling this “self-XSS” because these users are essentially inflicting XSS attacks on themselves.
In most cases, the victim is trying to “unlock” a feature that doesn’t exist. For example, the attacker may tell them that the code will give them access to a list of people who viewed their profile.
Of course, this is a lie. Instead, the code will hijack their account, post links to shady websites to their timeline, or spam their friend list.
If you have no knowledge of XSS or JavaScript, then you should never copy and paste anything into the developer console.