Yes, exactly JavaScript. I just met such a worm and tried to decode it.
What the actual problem is:
The recent Facebook worm works by getting users to visit a page, which makes them insert a JavaScript string into their address bar and therefore executing it.
So, DON'T EVER copy some JavaScript code into your address bar. That's the main problem. And don't click any links you don't trust. Or at least open those links in a new window using the Privacy Mode (Firefox) or Incognito mode (Chrome) so that it won't be able to access your Facebook session.
What did our hackers do to make people not realize what they're doing?
Escaping the script
The string you copy into the URL bar mostly links to another JavaScript which is executed. This script is actually decoded into entities. So instead of using string characters, the whole script was put into a string and escaped so that no human could read it in the first place.
For example, if I had a very malicious function I'd escape it and the user would only see:
function%20test%28%29%20%7B%20alert%20%28%22LOL%22%29%3B%20%7D
and unescaped it would be
function test() { alert("LOL"); }
The script therefore unescapes "itself" before it is executed.
Obfuscating it
Now it's getting ugly: Before escaping it, the evil JavaScript code is obfuscated, with function names like _____x
and variables like aLDIWEJ
. This makes still sense for JavaScript, but it is entirely unreadable to humans. This is done, again, to mask the intentions of our Facebook hackers.
At this point, the code could have looked something like this:
![enter image description here](https://i.stack.imgur.com/LcSPP.png)
What the script does
Well, what this script does is take your current Facebook session. Because you are logged into the site, it can do anything in your name. For example, things it can do through Facebook's API is:
- creating an event like "OMG I can see who stalked me!"
- chatting with people
- posting status updates
- etc.
This all happens by calling some of Facebooks API pages (some PHP pages, I forgot which).
Yes, even if you have received a friend request from her, you may not be able to Send her a message depending on her privacy settings.
What you can do here is accept her friend request; then place her under the list called, "Restricted" and then send her a message. Later you can remove her from your friend list.
Or, if you are sure that you do not know her (or anybody with that Nigerian Name); you can cancel her friend request.
Best Answer
According to this Facebook topic it seems like there's no way of retrieving the message that was attached to the friend request.
As a last resort, if you have the original notification email still in your inbox, the message might be there?