7 comments

[ 3.4 ms ] story [ 18.6 ms ] thread
I'm no user of Facebook, and when I see this material, I highly doubt I will ever try it. Why is Facebook unleashing this kind of stuff on its members? It shows the traits of malicious JavaScript that shady sites use to exploit security vulnerabilities in browsers. Why aren't Facebook members not allowed to know what they're made to run? Does Facebook have something nasty to hide?
This is an XSS; it's not something that Facebook put out.
Wouldn't it be possible to deny any scripts that looked like that? I know that it must obviously be legal Javascript, but if it's formatted like one blob of text, deny. This might be a too naive approach to work, I'm mostly raising the question out of curiosity, is it possible to spot obfuscation programmatically.
Harmless Javascript minification can be difficult to distinguish from intentional obfuscation. Packer in base62 mode (http://dean.edwards.name/packer/) is a good example.
Interesting, but what purpose does that serve? Wouldn't it be possible to formulate a rule for an organization, where you deny this as well.
I was drawn to security for a while mostly because javascript like that must be so much fun to write and encrypt. Although it's almost as much fun to decrypt. Until I get some more free time I guess I'll settle for reading about it.

Also, I love the first comment on this article: "Didn’t you just violate DMCA?"