XSS bug lets your Facebook friends run arbitrary code

[mvirkkunen]

Problematic line (and the other one that does the same thing, why are there two anyways?):

span.html("<span class='recrypt' id='"+crypt+"'>"+linkify(decrypt)+"</span>");

As far as I can tell this lets your friends insert arbitrary HTML into your chat window, which in turn lets them run arbitrary code. Which can then do pretty much any action on Facebook on your behalf, and of course, steal all your encryption keys.

I admit I didn't test this because I couldn't be bothered to create multiple FB accounts.