Slashdot Mirror


Cross-Site Scripting Worm Floods MySpace

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

17 of 321 comments (clear)

  1. Aww... by Anonymous Coward · · Score: 5, Funny

    Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.

    1. Re:Aww... by mikael · · Score: 5, Funny

      I bet he doesn't have over 1 million friends now.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  2. Go Samy! by jeek · · Score: 4, Funny

    Go Samy! We're rooting for you over at EFnet #olsentwins!@

    --
    If you want to be seen, stand up. If you want to be heard, speak up. If you want to be respected, sit down and shut up.
  3. Back in my day by Dachannien · · Score: 4, Funny

    And to think that, back in the day, people made friends by actually talking to other people.

    1. Re:Back in my day by FlopEJoe · · Score: 5, Funny

      Almost sad... hacking for online "friends." Like how my mother had to tie some liver to my collar to get the family dog to play with me :(

  4. Awsome by AForwardMotion · · Score: 5, Funny

    He'll probably get a lot of job offers from this.

  5. Re:XSS? by ArsenneLupin · · Score: 5, Funny
    If slashdot allowed executable javascript in the comments, we'd have the same problem.

    Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

  6. With a name like MySpace... by Eric+Giguere · · Score: 4, Funny

    ... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.

    Eric
    William Shatner boldly goes like no man has before
  7. And the phrase for self-replicating viruses was... by benhocking · · Score: 5, Funny

    And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

    --
    Ben Hocking
    Need a professional organizer?
  8. Don't you hate when you forget stuff? by UserGoogol · · Score: 4, Funny
    Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.
    FUCK! I knew I forgot to do something. I forgot to set the evil bit!
    --
    "Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
  9. Re:Here's the Guys Explanation of his code by Kristoffer+Lunden · · Score: 4, Funny

    What's so wrong with joking with the North American Marlon Brando Look Alikes? I think they can take it. =)

  10. No irony was intended by benhocking · · Score: 4, Funny

    No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.

    --
    Ben Hocking
    Need a professional organizer?
    1. Re:No irony was intended by JasonKChapman · · Score: 5, Funny
      I think I'm gonna blame quantum tunneling.

      Blame Heisenberg. At any given time every key is either pressed or not until you hit "submit" and find out for sure.

      --
      Sorry, I'm a writer. That makes you raw material.
    2. Re:No irony was intended by CreatureComfort · · Score: 5, Funny


      Heisenberg? Wouldn't that be Schrodinger?

      Heisenburg just says that you can never really be sure where the keys actually are, or your fingers for that matter.

      --
      "Unheard of means only it's undreamed of yet,
      Impossible means not yet done." ~~ Julia Ecklar
    3. Re:No irony was intended by blincoln · · Score: 4, Funny

      I've been trying to slowly re-educate the local population.

      I have Schroedinger's wavefunction equation tattooed on my arm, and every time someone asks about it, I explain about the cat and the two-slit experiment. It would probably be more effective if I printed out pamphlets, because there isn't enough time to even explain the cat properly if a grocery-store clerk asks.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  11. Re:XSS? by ColaMan · · Score: 5, Funny

    you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter... ...... greatly improving their content.

    --

    You are in a twisty maze of processor lines, all alike.
    There is a lot of hype here.
  12. Re:Here's the Guys Explanation of his code by Hosiah · · Score: 4, Funny
    Yeah, right.

    LOL No kidding! "Here's the home page of the guy famous for writing viral web code that infects your browswer, wanna go see it?" Golly, sounds like a swell idea, what's the worst that could happen?