Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Worm Floods MySpace

Posted by Zonk on from the why-would-you-want-to-do-anything-on-myspace dept.

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

3 of 321 comments (clear)

  1. I find this amusing... by Coocha · · Score: 4, Interesting

    I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

    So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other ./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?

    --
    May the threads progress competently.
  2. Re:Quick and Dirty solution by arkanes · · Score: 5, Interesting
    This actually brings to mind something which has bugged me for a long time. Why the hell are JS dialogs modal?

    while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?

  3. About (2?) years ago by lupid · · Score: 5, Interesting

    I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.

    Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).

    Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D