Slashdot Mirror
Cross-Site Scripting Worm Floods MySpace
DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
Is it really XSS if it's all happening at the same site? Just sayin.....
XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.
Is this the first AJAX vulnerability? Something like this would be expected in any new-ish tech that is increasing in popularity.
Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.
I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.
./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?
So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other
May the threads progress competently.
Go Samy! We're rooting for you over at EFnet #olsentwins!@
If you want to be seen, stand up. If you want to be heard, speak up. If you want to be respected, sit down and shut up.
Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.
Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.
And to think that, back in the day, people made friends by actually talking to other people.
He'll probably get a lot of job offers from this.
These '/. is slow and stupid' kind of posts just need to stop. But I listen to 4 different tech podcasts and hadn't heard about this yet. Think about the people who check /. for news while they're at work and most likely away from iTunes and their bookmarks, and (god-forbid) without a readily accessible aggregator. Realize this site for what it is: for the majority of it, other techies posting news they've heard about to a community they might think will care to hear it. This isn't "news as it happens updated every second" so stop treating it like it is.
Perfecting Discordia
www.stevenvansickle.com
In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., <l\li>) as well as a few other things. The result of IE doing this was that some web pages look good in IE that didn't look good in other browsers - thus encouraging more people to use IE. As HTML was being used more and more by the masses, there seemed some logic to this. Of course, one of the problems with this idea is that the designers were looking at their web-pages in IE to see if their code was written correctly.
This story just goes to emphasize the importance of calling buggy HTML code what it is, and not trying to infer the intent of the HTML coder. Samy cleverly found a way to make "buggy code" that would get past MySpace's filter, but that would be rendered the way he intended by the browser with the majority market share.
Ben Hocking
Need a professional organizer?
Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.
And here is his version of the story.
He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.
Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.
http://www.thebricktestament.com/the_law/when_to_
... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.
EricWilliam Shatner boldly goes like no man has before
The scoop from himself: http://fast.info/myspace/
This was bound to happen sooner or later, as MySpace repeats the history of the internet. Just look at the huge number of practically unreadable webpages with different size fonts and different colours, terribly innappropriate background images. Oh, and a load of commercial interests trying to stuff things down our throats. Loads of chicks though... ;)
Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.
Samy's info on the topic (coral)
His explanation of how it works
And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.
Ben Hocking
Need a professional organizer?
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
If /. sucks so much, why are you still here?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.
The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.
In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.
Left shift 1 for e-mail...
All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!
They don't have javascript enabled. As far as I can tell, he just used IE's magical ability to run broken code so that the browser would be able to piece together the mess he used, but Myspace wouldnt be able to tell it was javascript.
The Braying and Neighing of Barnyard Animals Follows.
Here is a link to the blog entry the article mentions that contains the code of the worm. (From Evan Martin of Google)
cause myspace went down
calling all destroyers
Wait, there are unpatched security holes in IE? From all I've heard lately, it's way more secure than Firefox. How could Microsoft let this happen????
Not just that. I don't know about others, but I read slashdot primarily for discussions, not raw news. There is a lot of places to flood you with news, but much less where you can actually read coherent discussions on the subject. Yes, slashdot's moderation system is far from ideal, but there actually _are_ insightful and interesting comments to read, not just "OMG LOL" babble.
My proposed "quick and dirty" solution is this.
..... Don't say you weren't warned.");
<script type="text/javascript">
for (i = 0; i < 1000; ++i) {
alert("Disable JavaScript for this site!");
};
alert("OK
</script>
Now you can be sure that {almost*} nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.
* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times. Their computer probably is infected with several viruses already, though.
Je fume. Tu fumes. Nous fûmes!
No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.
Ben Hocking
Need a professional organizer?
1. Embedded music videos. Anyone have a host list of the music video providers? I'd like to resolve them to 127.0.0.1
2. Bogus accounts. There is a huge rash of "stripper" accounts, consisting of minimal user info, that messages out to single guys to get them to email them at their yahoo accounts. They typically have 4 or 5 risque pictures, making everyone think all women are whores. Bad bad bad.
3. Myspace needs a "safe mode" where the excessively bad(bells and whistles) profiles that sodomize any web browser can be avoided.
4. Why does clicking to one of your groups have to open in a new window? WHY? The top-bar navigation makes that un-neccessary.
But still, myspace is better than orkut. People actually use myspace.
That's not the right attitude. The problem lies with web browsers that accept non-standard code.
Malicious code comes in two flavours - code that is outright malicious, and code that is completely benign in browsers that conform to the W3C specifications, but is interpreted wrongly by some browsers to generate a malicious effect.
The first type is easy to filter out, because you can go to the spec and see how things are meant to be interpreted, and from that determine what should be filtered out. The other type, though, is much harder to filter out, as you also need to be aware of all the little quirks and foibles of all browsers likely to be used to access your web application - something that isn't written down anywhere most of the time.
For example, you might have written code that strips out HTML tags. That's fine, except some versions of Netscape Navigator 4.x treat entirely different Unicode characters as if they were < and >. As a web developer, you have no way of knowing about this unless you are privy to some of the most obscure browser trivia in the world, so unless you take a default deny policy and outlaw any non-ASCII characters (goodbye international visitors), you are likely to write code that is vulnerable to this attack - for Netscape 4 users.
Now multiply that problem by all browsers in use today, and all the little quirks and deviations from spec. that they have, and you'll start to get an idea of why it's not feasible for web developers to be responsible for this problem, and why the responsibility lies at the browser developers' feet.
Bogtha Bogtha Bogtha
What would encryping anything have accomplished, exactly? The problem isn't that someone intercepted a legitimate transfer in the middle and modified it to be evil. The problem is that one end of the legitimate transfer was compromised, and the other end of the legitimate transfer was too trusting of the input from the compromised end, and then happily passed along that input (perfectly legitimately) to other parties who were then compromised themselves.
Help poke pirates in the eyepatch, arr.
The point is that there is no way to know every possible loophole because IE is extremely buggy and nobody outside of M$ can look at the source to figure out all possible problems. Most likely the problem is so big that even with the source you couldn't figure out all the possible exploits in the time it'd take you to just write a better browser.
How else could they block Javascript without eliminating the ability to post bits of code or psuedo-code for artistic or informational reasons? Even then it could probably be snuck in given that code doesn't really have any secret give away footprint that makes it possible to filter out.
About the only way to protect against such a problem is to block any browser from using the site that is to forgiving of bad web code. I'd imagine most other sites that let users post stuff others can read can be infected in a similar way.
I just hope the poor guy that wrote this code doesn't get in trouble. It doesn't sound as if he really knew how fast it'd grow and it was a much needed wakeup call to MySpace and the industry as a whole.
What we really need is for every major website to agree to a blanket anti-IE policy until IE is fixed, with like treatment for any other browser of similar shady quality (none that I can think of), where starting on a certain day all those sites redirect IE users to a site that'll help them download and install their choice of better browser. Firefox, Safari, Opera, or whatever (Lynx anyone?). Get the top ten websites to do that, with an explanation as to why, and you could change a high enough percentage of users over to make a permanent change. Hell, use those browser holes to make installing an alternate browser easy. Once directed to the site explaining the situation have the page offer the choice of available browsers each with an 'Install Now' button next to it. As soon as the user clicks the button install the new browser as the default browser and remove all shortcuts to IE. No need to figure out how to download and install anything after that one click.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
By the very nature of being a news aggregator, it will never be the first place that a story appears. It will always be elsewhere on the net first, and someone will then notice it and submit it here. So ok, maybe you saw it somewhere else first. Maybe you got it from the original source. Good for you. Those who failed to happen upon the story elsewhere can still learn about it here, and even if you saw it someplace else first, you can still join in the discussion.
And because of that, I still use Netscape 3.0 Gold on GUI machines, and I telnet to port 80 on console machines...
;)
Do not look into laser with remaining eye.
Firstly it's on the same site :).
/>
Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.
Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.
Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.
I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.
e.g.
<shieldson lock="randomstring" allowed="keyword,keyword,keyword"
disallowed material disabled
<shieldsoff lock="randomstring"/>
state restored to before lock
Where keywords:
textonly = just text
basic = basic formatting <em> <b> <i> <strong>
tables = tables
urls= plain <a href=""> no javascript etc
images= plain images, no javascript etc.
java=java
javascript=javascript.
The idea is it will be very hard for the attacker to guess the random string.
Oh well...
And now for the nit-picking minute...
If you read the technical explanation of the worm, you will see (item 8) that he had to add an extra redirection go from profile.myspace.com to www.myspace.com.
The cross-site part is not the main part of the worm. But still...
I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.
Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).
Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D
About a year ago, I discovered a bug in xanga.com's software that would allow anyone to use any javascript they wanted. Xanga simply made 1 pass through to remove any tags... so all you had to do was write <script> and </script>. I created a proof of concept that would allow me to capture a user's cookies and send them to an offsite PHP script, totally transparent to the victim. You could then simply replace the victim's cookie with yours, and have total control of their account.
So I took my discovery and emailed it to their designated bug report address. 5 months later it was finally fixed. I've found other vunerabilities that would allow anyone to do the same thing, but I don't even want to bother writing a proof of concept and telling them about it. Most companies just don't see XSS as a danger until someone wreaks some havoc.
This guy used the tag to insert the javascript which slashdot also allows. Not that I'm wanting anyone to do something evil with it but I'm wondering could slashdot be susceptable to the same flaw they're reporting?
>>I bet he doesn't have over 1 million friends now.
No kidding. But look on the bright side -- he has dramatically increased his chances of having at least one *very* close, long-term friend. Bubba, meet your new cellmail, "Samy."
Seems like he could have used the same bug to make "Javascript" into:
j-a-v-a-s-c-r-i-p-t, with each character on a new line. It'd be pretty hard for a filter to catch something like that, though I suppose they could strip out newlines and whitespace as well and just look for character sequences.
What a pain in the butt though. Seems like M$ could just produce a browser that doesn't go out of its way to screw itself.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
You don't ssh to port 80 to read a web page. dolt.
[This space for rent]
And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.
At my school, I think it was called "herpes".
responsibility lies at the browser developers' feet.
Users want browsers that will render their webpages, including pages they author themselves. Because the average person is not capable of writing a web page that parses, and many tools for writing web pages generate invalid HTML, any standards-compliant browser will not render most of the web. Try running your own web pages through SP using any W3C HTML DTD and see what I mean.
The situation is an artefact left over like a minefield from the browser war in the '90's. If either Netscape or Microsoft had focused in standards-compliance they would have lost market share. It is likely that both companies were actively trying to break standards as a means of locking in users.
Now that things have settled down Microsoft is the only corporate player with an ongoing interest in locking in users, but users are still going to expect browsers to render everything, no matter how malformed. Users experience any failure to render as a browser problem, not an authoring problem. As such, it is going to be difficult to get the web as a whole to be standards-compliant.
One of the fundamental laws of human behaviour was most clearly enunciated by Han Solo: "It's not my fault! It's not my fault!" We can sit back and say that any user of IE deserves to get burned by exploits, or that anyone authoring an invalid web page deserves to not get page views, but the Darwinian market is fundamentally a mechanism for humans to shift blame for their own failures onto others, and users choose IE and users choose MySpace, so neither browser choice nor website choice will ever be accepted as the cause of user's problems.
Blasphemy is a human right. Blasphemophobia kills.
After patching to fix this problem, MySpace now becomes the most immune to these types of attacks. Their software is more resistant, their team is more educated. To mix punchlines, pioneers get the arrows, but blows that do not break the back, strengthen it.
--
make install -not war
LiveJournal's cleanhtml.pl already covers multiline splits in IE. It's not like IE's interpretation of single tags split on mutiple lines hasn't been known about for quite some time.
I completely agree that IE is the problem, but to say that this is something site administrators couldn't have been prepared for is untrue. To expect a self replicating javascript? No way. But to secure the filter to prevent multiline tags? Yes, cleanhtml.pl already does. It's known and out there already.
I'd consider telnetting to any port dangerous, imagine what could happen if the server started sending terminal control sequences.
I can see it now that this sounds like the plot for a Sci Fi movie. Guy inserts code into Myspace. Myspace then becomes conscious and starts rampaging across the internet, trying to get people to be its friends. If they don't, it bombards them with pictures of slashed wrists. Then some B movie actors like Gary Busey and John Rhys Davies have to "go into the internet" using some kind of virtual reality rig and kill Myspace. I've already pitched the idea. It'll be debuting next year.
When you have to write a script to get friends...
From the horses's mouth:
http://namb.la/popular/tech.html