Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Worm Floods MySpace

Posted by Zonk on from the why-would-you-want-to-do-anything-on-myspace dept.

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

9 of 321 comments (clear)

  1. XSS? by mindstrm · · Score: 5, Informative

    Is it really XSS if it's all happening at the same site? Just sayin.....

    XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.

    1. Re:XSS? by Skye16 · · Score: 5, Informative

      No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.

    2. Re:XSS? by Haydn+Fenton · · Score: 4, Informative

      No, you can't upload Javascript to MySpace. That's the whole point.
      From what I gather, you can upload CSS tags and other non-harmful tags. However, 'Samy' managed to find out that instead of writing valid CSS code inside the CSS tag, you can simply write a Script tag (so long as you split it over two lines) and upload it that way.
      This in itself shouldn't be a problem; since the code is inside a CSS tag it should be parsed as invalid CSS code, and so there's no reason for MySpace to have blocked it.
      This is where IE comes into it, if you are using IE, IE will parse it as a valid Javascript tag anyway, and execute the code.

      This isn't really a bug in MySpace (well, technically it is now), it's more like a bug in IE which can be exploited on MySpace, or any other site which allows similar tags in which code can be 'hidden'.

  2. More info... by TheSync · · Score: 5, Informative

    Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.

    Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

  3. Here's the Guys Explanation of his code by putko · · Score: 5, Informative

    Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

    And here is his version of the story.

    He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

    Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
  4. samy is my hero by gr8n10zt · · Score: 5, Informative

    The scoop from himself: http://fast.info/myspace/

  5. samy is my hero by zippity8 · · Score: 4, Informative

    Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.

    Samy's info on the topic (coral)
    His explanation of how it works

  6. XSS basics by flanker · · Score: 4, Informative

    Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.

    The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.

    In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.

    --
    Left shift 1 for e-mail...
  7. LiveJournal Took up the Responsibility by BobPaul · · Score: 4, Informative

    LiveJournal's cleanhtml.pl already covers multiline splits in IE. It's not like IE's interpretation of single tags split on mutiple lines hasn't been known about for quite some time.

    I completely agree that IE is the problem, but to say that this is something site administrators couldn't have been prepared for is untrue. To expect a self replicating javascript? No way. But to secure the filter to prevent multiline tags? Yes, cleanhtml.pl already does. It's known and out there already.