Cross-Site Scripting Worm Floods MySpace

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

Aww...

Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.

Re:Aww...

[mikael]

I bet he doesn't have over 1 million friends now.

Go Samy!

[jeek]

Go Samy! We're rooting for you over at EFnet #olsentwins!@

Back in my day

[Dachannien]

And to think that, back in the day, people made friends by actually talking to other people.

Re:Back in my day

[FlopEJoe]

Almost sad... hacking for online "friends." Like how my mother had to tie some liver to my collar to get the family dog to play with me :(

Awsome

[AForwardMotion]

He'll probably get a lot of job offers from this.

Re:XSS?

[ArsenneLupin]

If slashdot allowed executable javascript in the comments, we'd have the same problem.

Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

With a name like MySpace...

[Eric+Giguere]

... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.

Eric
William Shatner boldly goes like no man has before

And the phrase for self-replicating viruses was...

[benhocking]

And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

Don't you hate when you forget stuff?

[UserGoogol]

Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.

FUCK! I knew I forgot to do something. I forgot to set the evil bit!

Re:Here's the Guys Explanation of his code

[Kristoffer+Lunden]

What's so wrong with joking with the North American Marlon Brando Look Alikes? I think they can take it. =)

Obligatory...

[kukickface]

All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!

Re:Day late, dollar short.

[the_wesman]

cause myspace went down

Unpatched security holes?

[phlegmofdiscontent]

Wait, there are unpatched security holes in IE? From all I've heard lately, it's way more secure than Firefox. How could Microsoft let this happen????

No irony was intended

[benhocking]

No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.

Re:No irony was intended

[JasonKChapman]

I think I'm gonna blame quantum tunneling.

Blame Heisenberg. At any given time every key is either pressed or not until you hit "submit" and find out for sure.

Re:No irony was intended

[CreatureComfort]

Heisenberg? Wouldn't that be Schrodinger?

Heisenburg just says that you can never really be sure where the keys actually are, or your fingers for that matter.

Re:No irony was intended

[blincoln]

I've been trying to slowly re-educate the local population.

I have Schroedinger's wavefunction equation tattooed on my arm, and every time someone asks about it, I explain about the cat and the two-slit experiment. It would probably be more effective if I printed out pamphlets, because there isn't enough time to even explain the cat properly if a grocery-store clerk asks.

Re:XSS?

[ColaMan]

you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter... ...... greatly improving their content.

Re:That's Irrevellant

[MikeFM]

The point is that there is no way to know every possible loophole because IE is extremely buggy and nobody outside of M$ can look at the source to figure out all possible problems. Most likely the problem is so big that even with the source you couldn't figure out all the possible exploits in the time it'd take you to just write a better browser.

How else could they block Javascript without eliminating the ability to post bits of code or psuedo-code for artistic or informational reasons? Even then it could probably be snuck in given that code doesn't really have any secret give away footprint that makes it possible to filter out.

About the only way to protect against such a problem is to block any browser from using the site that is to forgiving of bad web code. I'd imagine most other sites that let users post stuff others can read can be infected in a similar way.

I just hope the poor guy that wrote this code doesn't get in trouble. It doesn't sound as if he really knew how fast it'd grow and it was a much needed wakeup call to MySpace and the industry as a whole.

What we really need is for every major website to agree to a blanket anti-IE policy until IE is fixed, with like treatment for any other browser of similar shady quality (none that I can think of), where starting on a certain day all those sites redirect IE users to a site that'll help them download and install their choice of better browser. Firefox, Safari, Opera, or whatever (Lynx anyone?). Get the top ten websites to do that, with an explanation as to why, and you could change a high enough percentage of users over to make a permanent change. Hell, use those browser holes to make installing an alternate browser easy. Once directed to the site explaining the situation have the page offer the choice of available browsers each with an 'Install Now' button next to it. As soon as the user clicks the button install the new browser as the default browser and remove all shortcuts to IE. No need to figure out how to download and install anything after that one click.

Re:Here's the Guys Explanation of his code

[Hosiah]

Yeah, right.

LOL No kidding! "Here's the home page of the guy famous for writing viral web code that infects your browswer, wanna go see it?" Golly, sounds like a swell idea, what's the worst that could happen?

Look on the bright side!

[JonTurner]

>>I bet he doesn't have over 1 million friends now.

No kidding. But look on the bright side -- he has dramatically increased his chances of having at least one *very* close, long-term friend. Bubba, meet your new cellmail, "Samy."

Re:That's Irrevellant

[SatanicPuppy]

Seems like he could have used the same bug to make "Javascript" into:
j-a-v-a-s-c-r-i-p-t, with each character on a new line. It'd be pretty hard for a filter to catch something like that, though I suppose they could strip out newlines and whitespace as well and just look for character sequences.

What a pain in the butt though. Seems like M$ could just produce a browser that doesn't go out of its way to screw itself.

Re:And the phrase for self-replicating viruses was

[Em7add11]

And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

At my school, I think it was called "herpes".

My Hero

[Xytheril]

I can see it now that this sounds like the plot for a Sci Fi movie. Guy inserts code into Myspace. Myspace then becomes conscious and starts rampaging across the internet, trying to get people to be its friends. If they don't, it bombards them with pictures of slashed wrists. Then some B movie actors like Gary Busey and John Rhys Davies have to "go into the internet" using some kind of virtual reality rig and kill Myspace. I've already pitched the idea. It'll be debuting next year.