Facebook have acknowledged for this spam attack. According to their statement , the attackers exploits the Browser Vulnerability that allows "Self-XSS".
Self-XSS(Cross site Scripting)-An attacker can execute Malicious Javascript code on your browser that bring the access to the whatever website you visit (not only Facebook).
Most of time, the spam message ask you to copy the javascript and enter in the browser url box in order to get something(Eg: Gift card or Facebook Stalker). This results in executing the Malicious code and results in account hacking or spreading spam message.
It is unclear which browser is vulnerable to . Hope they will fix it soon.
If you like to know more about Self-XSS Attack, please check here:
Self-XSS, one of Social Engineering Attack.
