you can easily get anyone's user ID from the message you send them. so far i manged to send message to myself, which obviously should be possible. however tampering with other user IDs gets me logged out and i have to login again, obvoiusly corrupts the login.
here's a msg packet with false IDs:
Code: Select all
msg_id=1314291794641%3A3767966472&client_time=1314291792962&to=100000116796666&num_tabs=1&pvs_time&msg_text=emptyZ&to_offline=false&to_idle=false&popped_out=false&post_form_id=0f204c8ad5acfabee723bc116a3ebba4&fb_dtsg=AQB5Vpsx&lsd&post_form_id_source=AsyncRequest&__user=100000028337777
this is just beginning, it might be possible to talk to the ppl who have blocked you or send messages as some1 else.
maybe in future i will check more deepling into this, this simple test was done in less than 10 mins.