Cross-Site Scripting Worm Hits MySpace

With the advent of social networking sites, becoming more popular is as easy as crafting a few lines of JavaScript code, it seems.

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.

How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.

First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user profile page. But MySpace stripped out the word "javascript" from any text, which would be needed to execute code.

With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code within a Cascading Style Sheet tag.

The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a "hero" to the visitor's own profile page. To do this without a user's knowledge, the code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.

Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user's profile, creating a replicating worm. "So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends," Samy explained.

It didn't take long for friend requests to start rolling in - first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.

Samy says his intentions weren't malicious, but expressed concern that MySpace, which was purchased by News Corp. in July for $580 million, wouldn't see it that way. Company officials have not contacted him, but his account was deleted.

"My primary motivation was to make people laugh. I wanted a few friends to have my name appended to their list of heroes, including some of their own friends whom I don't know directly," Samy told BetaNews in an e-mail interview. "Me, a hero? That had to be the funniest joke people have heard in a while. Well, a lot more people heard it than I had really wanted."

Still, aside from remnant "samy is my hero" text strewn across the Internet's fifth largest Web site, the end result could end up positive.

The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Google employee Evan Martin even broke down the worm's AJAX code on his personal Web log.

"Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue," Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told BetaNews. "The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues."

"Those who do not, especially the on-line financial institutions and community Web sites, are prime targets," added Grossman. But Samy noted that MySpace isn't the only party to blame for the vulnerability, stating that browser makers also need to do a better job with security.

"MySpace has always properly filtered out valid JavaScript indications," Samy said, "however it was due to browser leniencies that allowed me to still get JavaScript to execute."

52 Responses to Cross-Site Scripting Worm Hits MySpace

  1. bourgeoisdude says:

    Wow...quite interesting. Still, a scripting worm is a worm, and "Sammy" could still get in serious trouble...

    • itanshi says:

      this is so genius! dang i so want to laugh louder but everyone at school walking by would stare at me funny x_X hehe more than usual, anyways

      wasn't there an article citing errors to be exploited as the fault of the programmer? Hmm i might be off base, but there is something to be said here

    • xyzcb1 says:

      So "Sammy" is wrong for pointing out this security vulnerabilities in a harmless way? I guess it's better to let someone else to hack your bank account.

      • bourgeoisdude says:

        I just meant he might be in big _legal_ trouble for it--that's fact, not opinion. Should he get in trouble for it? That is the question

  2. sophist_dreams says:

    Another reason to use FireFox as your primary browser

  3. wincement says:

    That is absolutely genius. I wish I'd thought of it. It's a harmless worm. That's the best kind.

    • Paradise-FH- says:

      tell that to the folks that had to work odd hours to clean it up.

      • wincement says:

        Ok. So it was *almost* harmless.

      • Raguleader says:

        You might say it was... Mostly Harmless?

      • bukaroo12 says:

        It could even be viewed as a beneficial worm in that it opened up a lot of eyes to the problem so that it can now be fixed. I'd rather have Samy point out this security hole than a more malicious person.

      • nightops says:

        EXACTLY! I'd take 10 of such worms instead of 1 malicious worm with the same capabilities. It is a pain in the butt, but not nearly as bad as having to restore from backups and tighten security... At least now they have a 'heads-up' that it can be done... This could have been TONS worse than it was... Count yourselves lucky.

      • wincement says:


  4. genu says:

    Why does Browser matter?...for all im concerned, an attacker can make their own browser cant they? OFF Topic: I made a site, and reading this makes me worried that is gonna get anybody want to help me out that would be nice

  5. genu says:

    Why does Browser matter?...for all im concerned, an attacker can make their own browser cant they? OFF Topic: I made a site, and reading this makes me worried that is gonna get anybody want to help me out that would be nice

    • wincement says:

      Just a guess here: your site probably isn't the kind that could be exploited by XSS.

      • Maxwolf says:

        A little mean, but who would hack your site?

      • wincement says:

        That's kinda what I was saying, but I was trying to be a little bit nicer.

      • SheeEttin says:

        Most hacking is done robotically, as in the above worm. It doesn't care whether you're Microsoft or some guy out in the Ozarks with a 14 MB hard drive. It'll try and hack you.

      • wincement says:

        ummm... yeah, but you have to have a system in place to be hacked in the first place. A simple HTML page with pictures and music playing in the background will not fall victim to XSS. The site actually has to DO something in order for an XSS exploit to even be possible.

    • HaydnF says:

      I've never visited the site, but the article says MySpace blocks the word JavaScript so that you can't slap in some code.
      I'm assuming that 'Samy' used (for example) "

      • HaydnF says:

        Blech, now betanews can't parse my post properly and I cant edit it to say what it's meant to. Here's a reply with what I meant to say (guess I'll have to avoid any tags in case it fucks up again).

        MySpace blocks JavaScript and Script tags so that you can't slap in some bad code.
        Samy used a CSS tag, then instead of using CSS stuff, simply put in half the JavaScript tag on one line, and the other half on the next line.
        This should not be parsed as javascript code, it should be parsed as invalid CSS code, but since IE likes broken code, it will go ahead and execute it anyway.
        So any users who are on IE will be affected by this. It's not really a bug in MySpace, more like a bug in IE will can be exploited on MySpace.

    • bukaroo12 says:

      A hacker could make his own browser, but he'll be the only one using it, not the millions of other users that became Samy's friend. In this case, a custom browser wouldn't do the trick.

  6. CharlesRovira says:

    part of the problem is that we are using the 'net as a plain wire. The respective web pages and sites are responsable for maintaining security on what can only ever be platforms with imperfect knowledge.

    The internet (and intranets for maintaining secure databases) should also keep the connections (instances of the various relationships) between objects.

    This would enable DNS servers to immediately reject any and all connections that it is NOT supposed to keep.

  7. Z_Man says:

    LOL! I hate MySpace anyways....

  8. TheRecklessWanderer says:

    I have never even heard of myspace.

    • bounty1990 says:

      im glad i have a web host that is nice enough to not allow anyone but me to insert anything into HTML files but me. Its called secure FTP access. My friend cant even get a file off my site because it tells him access is denied.

      • wincement says:

        Actually, you can do that with any server by setting the file permissions. It doesn't matter what protocol you use. If public access is set to 0, no one can see it in the web.

  9. Adrian79 says:

    myspace me find few girls(over18) down the block. meet up with them..the girls on the site are local and they all think with there vaginas :-)

  10. djcronos says:

    So does anyone have a link to the script he used? Or does anyone want to mail to to pm_987 at yahoo dot com?


  11. beerco says:

    This vunerability was reported and patched on beerco's

    If anybody finds that it hasn't been sufficiently patched, please contact "tux" the linux penguin on the site and file a bug report.

  12. crashoverride says:

    Well at least it was someone with a moronic sense of humor instead of some jerk trying to steal someones info.

  13. informmeus says:

    MySpace is used by my 15-year old daughter several hours a day. It is a blog or diary site with the added bonus of e-mail amoung other users that borders IM or one huge chat room. This is very popular among her friends at school as it is a great work around for getting past my IM rules for her.

  14. alljer says:

    It seems Yahoo is vulnerable to a similar XSS attack on it's My Yahoo website. I wonder how long it will be before someone writes a clever worm to exploit this vulnerability? has the full details

  15. bbarnett says:

    What a fucking creep, we spend all our time making sure are running properly and some jerk
    just fucks it up.

    He should be drawn and quartered.

  16. Im glad i read this article...this happened to me...he was entered into my hero's section as well and messing up my entire page...aka missing photos and such..didnt make me very happy...but w/e its only myspace i guess...ppl are just wierd =)

    SoRRy for n e one else that experienced this immature act !!


  17. altino says:

    another reason. incompleted by now :) but ...


    use LWP;
    #use LWP::RobotUA;
    use HTTP::Cookies;
    use HTML::TokeParser;
    use IO::File;
    use POSIX;

    my $browser = LWP::UserAgent->new;
    my $username = '[email protected]';
    my $pass = 'xpto';

    #liga os cookies;
    $browser->cookie_jar( HTTP::Cookies->new(
    'file' => '/tmp/perl.myspace1.cookies',
    # ficheiro dos cookies
    'autosave' => 1,));

    # header que vai com os requests, para simular o browser
    my @header = (
    'User-Agent' => 'Bruno Carreira browser bot',
    'Accept' => 'image/gif, image/x-xbitmap, image/jpeg,
    image/pjpeg, image/png, */*',
    'Accept-Charset' => 'iso-8859-1,*,utf-8',
    'Accept-Language' => 'en-US',

    my $url = '';

    # aceita redirectionamentos do browser
    push @{ $browser->requests_redirectable }, 'POST';

    print "comeca por auth o user\n";
    # autentica perante o IC
    my $response = $browser->post( $url,
    email => $username,
    password => $pass,

    die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
    unless $response->is_success;

    die "Erro: tava a espera de HTML, nao de ", $response->content_type
    unless $response->content_type eq 'text/html';

    # print $response->content;

    print "Faz uma pesquisa no site por GAJAS\n";
    #$url = '';
    #$url = '';
    $url = '';
    $response = $browser->post( $url ,
    Gender => 'genderWomen',
    minAge => '18',
    maxAge => '35',
    statusSingle => '1',
    statusMarried => '0',
    statusDivorced => '1',
    statusSwingers => '1',
    country => 'SW',

    die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
    unless $response->is_success;

    die "Erro: tava a espera de HTML, nao de ", $response->content_type
    unless $response->content_type eq 'text/html';
    print "Comeca a adicionar os GRELOS aos meus contactos ... \n";
    #print $response->content;

    sub snif {
    $p = HTML::TokeParser->new( \$response->content);
    my $aux = 0;
    while (my $token = $p->get_tag("a")) {
    my $url = $token->[1]{href} || "-";
    my $text = $p->get_trimmed_text("/a");

    if ($text =~ /IMG/){
    $response = $browser->get ($url , @header);
    die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
    unless $response->is_success;

    die "Erro: tava a espera de HTML, nao de ", $response->content_type
    unless $response->content_type eq 'text/html';
    $p1 = HTML::TokeParser->new( \$response->content);

    $url =~ /friendID=\d+?&Mytoken/;
    my $userid = $&;
    $userid =~ s/friendID=//;
    $userid =~ s/&Mytoken//;

    $url = ''.$userid;
    $response = $browser->get ( $url, @header);
    die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line unless $response->is_success;

    die "Erro: tava a espera de HTML, nao de ", $response->content_type
    unless $response->content_type eq 'text/html';

    $url4 = '';
    my $temp = $response->content;
    #print $temp;

    # get hashcode[C
    my $hashcode = $response->content;
    $hashcode =~ m/post($url4,
    hashcode => $hashcode,
    friendID => $userid,
    die "Erro: nao foi possivel sacar a url: $url4 -- ", $response->status_line unless $response->is_success;

    die "Erro: tava a espera de HTML, nao de ", $response->content_type
    unless $response->content_type eq 'text/html';

    #sleep 2;
    #print $response->content;

    if (($text =~ /Next/) && ($aux == 1)) {
    $url =~ m/\d/;
    $response = $browser->post("",
    page => $&,
    # $response = $browser->get ($url , @header);
    die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
    unless $response->is_success;

    die "Erro: tava a espera de HTML, nao de ", $response->content_type
    unless $response->content_type eq 'text/html';
    $aux = 0;
    } elsif (($text =~ /Next/) && ($aux == 0)) {


    this is old, like i said at the begining. :) but...

    I just want to leave a question.

    Is this simulation of mouse clicks also an hack??? :)

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.