Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Worm Floods MySpace

Posted by Zonk on from the why-would-you-want-to-do-anything-on-myspace dept.

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

5 of 321 comments (clear)

  1. XSS? by mindstrm · · Score: 5, Informative

    Is it really XSS if it's all happening at the same site? Just sayin.....

    XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.

    1. Re:XSS? by Skye16 · · Score: 5, Informative

      No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.

  2. More info... by TheSync · · Score: 5, Informative

    Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.

    Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

  3. Here's the Guys Explanation of his code by putko · · Score: 5, Informative

    Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

    And here is his version of the story.

    He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

    Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
  4. samy is my hero by gr8n10zt · · Score: 5, Informative

    The scoop from himself: http://fast.info/myspace/