Spamming Facebook Messages

We have reported this bug to Facebook and they replied asking “How is this different than hitting the message button?”

If you want to spam everyone in the World that uses Facebook, it’s quite easy to do. Their code uses a numeric value.

This is a spammers delight and Facebook just dismissed it.

Step 1:

Go to anyone’s Facebook profile.

Step 2:

Right click on the message button.


Step 3:

Navigate to “Inspect”

If you have developer tools enabled you should see the code that Facebook has written.

The small bit of code we are interested in is hard to see in this batch of code, but to the hackers eye we can see one flaw.

Changing the ID lets you message whoever that ID is.

Enumerate that with a little script, you can message everyone on Facebook.


This can be used to propagate propaganda to users of the platform and is extremely dangerous.

This post is for educational purposes only, we do not condone anyone hacking any website.

Qubits January 3-2018

Updated 2018-04-11


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.