We have reported this bug to Facebook and they replied asking “How is this different than hitting the message button?”
If you want to spam everyone in the World that uses Facebook, it’s quite easy to do. Their code uses a numeric value.
This is a spammers delight and Facebook just dismissed it.
Go to anyone’s Facebook profile.
Right click on the message button.
Navigate to “Inspect”
If you have developer tools enabled you should see the code that Facebook has written.
The small bit of code we are interested in is hard to see in this batch of code, but to the hackers eye we can see one flaw.
Changing the ID lets you message whoever that ID is.
Enumerate that with a little script, you can message everyone on Facebook.
This can be used to propagate propaganda to users of the platform and is extremely dangerous.
This post is for educational purposes only, we do not condone anyone hacking any website.
Qubits January 3-2018