"While I was testing this, I noticed that the javascript: command in browser's address bar works only in Mozilla Firefox and Google Chrome (you can easily test this by writing javascript:alert("test") into the address bar), so the attack didn't work for Internet Explorer users (is that a first
. (it wasn't 
UPDATE: Thanks to all readers who sent an e-mail and those that posted the comments below - Giorgio was right, I tested it in a blank tab in IE and it works without any problems on a page. Now that I think about this attack, it makes it even scarier since the web page had about 100.000+ fans before it got shut down by Facebook!"
Who needs exploits when you have social engineering?
http://isc.sans.org/diary.html?storyid=8710
Updated quote: Internet Explorer executes the javascript when not on a blank tab.
