10 comments

[ 2.3 ms ] story [ 26.3 ms ] thread
Makes a vulgar post on a users wall, if the user clicks "Remove this app" it then post it to all your friends walls.

Reddits reaction thus far http://www.reddit.com/r/reddit.com/search?q=nicole+santos

Edit: I think facebook has already taken it down, it lasted about 30 minutes.

It was Dropbox that took down the file, though I bet it was taken down by some sort of automatic hotlinking protection system.
The Dropbox link went down quite fast, it was mirrored by another site nearly instantly and the hack remained in working condition. Then I'm guessing Facebook took down the App and deleted all the comments that were spread.
Great, you found a script injection. However, I think you misunderstand "Hacker News"
Wasn't me and I don't understand this comment.
seems like a better way to cause a dns attack on the file hosters machine no? better title: dns attack from facebook.
It all began when a user pasted the value of the jsText variable in the address bar. The script create a new script DOM element and append it to head injecting the malicious links (so that there is no more need to run the bookmarklet-like link.)

The problem here is that the (old) Facebook prompt_page.php page:

http://www.facebook.com/connect/prompt_feed.php

doesn't sanitize feed_info[action_links][0][href] allowing javascript: links.

It seems as though she is more the victim of some asshole that may or may not know her, that is now trying to extract some revenge by making her life a miserable hell while this mess gets sorted out.