Cross-Site Scripting Worm Hits MySpace
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.
How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user's profile, creating a replicating worm. "So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends," Samy explained.
It didn't take long for friend requests to start rolling in - first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.
Samy says his intentions weren't malicious, but expressed concern that MySpace, which was purchased by News Corp. in July for $580 million, wouldn't see it that way. Company officials have not contacted him, but his account was deleted.
"My primary motivation was to make people laugh. I wanted a few friends to have my name appended to their list of heroes, including some of their own friends whom I don't know directly," Samy told BetaNews in an e-mail interview. "Me, a hero? That had to be the funniest joke people have heard in a while. Well, a lot more people heard it than I had really wanted."
Still, aside from remnant "samy is my hero" text strewn across the Internet's fifth largest Web site, the end result could end up positive.
The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Google employee Evan Martin even broke down the worm's AJAX code on his personal Web log.
"Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue," Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told BetaNews. "The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues."
"Those who do not, especially the on-line financial institutions and community Web sites, are prime targets," added Grossman. But Samy noted that MySpace isn't the only party to blame for the vulnerability, stating that browser makers also need to do a better job with security.