Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Worm Floods MySpace

Posted by Zonk on from the why-would-you-want-to-do-anything-on-myspace dept.

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

47 of 321 comments (clear)

  1. XSS? by mindstrm · · Score: 5, Informative

    Is it really XSS if it's all happening at the same site? Just sayin.....

    XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.

    1. Re:XSS? by Skye16 · · Score: 5, Informative

      No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.

    2. Re:XSS? by ArsenneLupin · · Score: 5, Funny
      If slashdot allowed executable javascript in the comments, we'd have the same problem.

      Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

    3. Re:XSS? by ColaMan · · Score: 5, Funny

      you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter... ...... greatly improving their content.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    4. Re:XSS? by Haydn+Fenton · · Score: 4, Informative

      No, you can't upload Javascript to MySpace. That's the whole point.
      From what I gather, you can upload CSS tags and other non-harmful tags. However, 'Samy' managed to find out that instead of writing valid CSS code inside the CSS tag, you can simply write a Script tag (so long as you split it over two lines) and upload it that way.
      This in itself shouldn't be a problem; since the code is inside a CSS tag it should be parsed as invalid CSS code, and so there's no reason for MySpace to have blocked it.
      This is where IE comes into it, if you are using IE, IE will parse it as a valid Javascript tag anyway, and execute the code.

      This isn't really a bug in MySpace (well, technically it is now), it's more like a bug in IE which can be exploited on MySpace, or any other site which allows similar tags in which code can be 'hidden'.

  2. AJAX vuns by bloodredsun · · Score: 3, Insightful

    Is this the first AJAX vulnerability? Something like this would be expected in any new-ish tech that is increasing in popularity.

  3. Aww... by Anonymous Coward · · Score: 5, Funny

    Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.

    1. Re:Aww... by mikael · · Score: 5, Funny

      I bet he doesn't have over 1 million friends now.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re:Aww... by maxwell+demon · · Score: 4, Insightful

      Well, having over 1 million foes is also an achievement ...

      --
      The Tao of math: The numbers you can count are not the real numbers.
  4. I find this amusing... by Coocha · · Score: 4, Interesting

    I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

    So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other ./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?

    --
    May the threads progress competently.
    1. Re:I find this amusing... by lav-chan · · Score: 3, Interesting

      I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

      Yeah, well, you're gonna expect that anywhere i guess. LiveJournal, Xanga, MySpace, BlogSpot, where-ever. I personally think MySpace does the best job of 'bringing it all together', though (blogs, message boards, friends, profiles, it's all so interconnected).

      That said, MySpace is probably one of the worst-written sites of all time. Tom seems like a swell guy (i've talked to him a few times), but he and/or his team couldn't design a site if their lives depended on it. I mean that in terms of both the HTML and the 'server-side' stuff. They're constantly doing maintenance (which hardly ever seems to fix anything); they do completely random text-filtering (like you can't say '% of', the system will strip it out); the time zones are always wrong; you have to post blogs twice sometimes in order to get the auto-formatting to work; their HTML/CSS is terrible (most of their ids and classes have illegal names); the blog's design editor is retarded because the default style sheet is set to override your custom style sheet (so i'm not sure what the point is of even having the option); and so on.

      Tom says he's working on a 'CSS-friendly' version of MySpace, and it seems like that's the case because suddenly there's a bunch of unused stuff if you look at the style sheet, but i have doubts that it's actually going to be much better. ... Or if it's even going to be 'CSS-friendly'.

      :shrug:

    2. Re:I find this amusing... by MrRogers2 · · Score: 3, Informative
      According to this article, XSS is a bit of a misnomer:
      The term cross site scripting is not a very accurate description of this class of vulnerability. In the words of XSS pioneer Marc Slemko:
      This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name.
      Check out the full article for a good description of the types of XSS exploits.
      --
      MrRogers(2)
  5. Go Samy! by jeek · · Score: 4, Funny

    Go Samy! We're rooting for you over at EFnet #olsentwins!@

    --
    If you want to be seen, stand up. If you want to be heard, speak up. If you want to be respected, sit down and shut up.
  6. More info... by TheSync · · Score: 5, Informative

    Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.

    Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

    1. Re:More info... by Jerf · · Score: 5, Insightful
      And it gets through because stupid programmers persist in making two mistakes:
      1. Defining "badness" instead of "goodness"
      2. Trying to "clean up" invalid code
      The first one means that you try to list all of the ways that the input can be bad. The Universe is evil and it hates you. You can't list all the funky things that it can do to you. Instead, list the good things and carefully verify that the input is good.

      For a simple, but very very real-world example, don't write a rule that says "If the password contains /, =, or \, reject it." Write a rule that says "Passwords may contain only letters, numbers, and underscores." In the first case, especially in the brave new world of Unicode, you'll never enumerate all the bad things that can happen.

      The second mistake is that once you've decided that input is bad, do not try to clean it up. The process of cleaning it up may itself make it invalid in the case of something like HTML. Just reject it with a good error message and let the user take care of it.

      If that is absolutely impossible, preferably on the lines of "you'll be fired if you don't clean it up", then at the very least, you must continue to recursively run the cleanup code until the input converges (is unchanged by the cleanup code).

      It's not that it's absolutely impossible to get it right if you don't follow these rules, it's just that it's really freakin' hard. Slashdot, for instance, does seem to manage, but it took them a few iterations and ultimately, it's a low-priority site even if it does get hacked a little. Is your program that unimportant?

      It's way, way easier to define legit HTML (specific tags, no attributes usually though it's easy to let a few specific ones through, even with a handful of specific values) than it is to create a function to take any arbitrary string and make "safe" HTML out of it.
    2. Re:More info... by Jerf · · Score: 3, Insightful

      We're talking about free-form content.

      No, we're not. We're talking about HTML, or things that end up as HTML. (For instance, Wiki formatting, UBB formatting, etc.) It's not English text that spread like a virus, it's code.

      If you can't figure out how to write something that identifies good HTML, then you absolutely, positively should not be writing code for the web. If you think HTML is "free-form content", you're part of the problem.

      The "badness" you are trying to prevent is distinguishable from the "goodness" only by the patterns that it occurs in.

      No shit. You are aware that there are decades of work in computer science on the topic? And that the relevant work is all nicely packaged up as libraries that don't even require to really understand said decades of work?

      All you have to do is hook up an HTML parser, and reject the content the instant you see anything bad; tags not in the approved list, attributes not in the approved list, etc. For extra bonus points to defend against a bad parser you might consider re-outputting the HTML from the parse tree via your own code that can be guaranteed to only produce safe, code-free HTML by construction, but that's generally unnecessary because for someone who actually knows what they're doing an HTML parser is not that hard, and the crappy/buggy ones generally stay very safely un-famous. (An HTML parser that gracefully handles the shitty HTML on the web today is quite a different story, but that doesn't apply here; you shouldn't be using such a thing for verification.)

      If you truly find this hard, you need to either grow your skills until it isn't, stop programming for the web, or batten down the hatches and prepare for the day when something crappy like this happens to your site. The same extends to anytime user input may be interpreted as code that affects anyone else, too. I'm not the one presenting you with these choices; I'm just explaining the situation. It's just that this is how it works, in the real world. "But it's hard!" doesn't change anything.

  7. Back in my day by Dachannien · · Score: 4, Funny

    And to think that, back in the day, people made friends by actually talking to other people.

    1. Re:Back in my day by FlopEJoe · · Score: 5, Funny

      Almost sad... hacking for online "friends." Like how my mother had to tie some liver to my collar to get the family dog to play with me :(

  8. Awsome by AForwardMotion · · Score: 5, Funny

    He'll probably get a lot of job offers from this.

  9. Re:Day late, dollar short. by Iriel · · Score: 4, Insightful

    These '/. is slow and stupid' kind of posts just need to stop. But I listen to 4 different tech podcasts and hadn't heard about this yet. Think about the people who check /. for news while they're at work and most likely away from iTunes and their bookmarks, and (god-forbid) without a readily accessible aggregator. Realize this site for what it is: for the majority of it, other techies posting news they've heard about to a community they might think will care to hear it. This isn't "news as it happens updated every second" so stop treating it like it is.

    --
    Perfecting Discordia
    www.stevenvansickle.com
  10. IE is too forgiving by benhocking · · Score: 4, Insightful

    In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things. The result of IE doing this was that some web pages look good in IE that didn't look good in other browsers - thus encouraging more people to use IE. As HTML was being used more and more by the masses, there seemed some logic to this. Of course, one of the problems with this idea is that the designers were looking at their web-pages in IE to see if their code was written correctly.

    This story just goes to emphasize the importance of calling buggy HTML code what it is, and not trying to infer the intent of the HTML coder. Samy cleverly found a way to make "buggy code" that would get past MySpace's filter, but that would be rendered the way he intended by the browser with the majority market share.

    --
    Ben Hocking
    Need a professional organizer?
    1. Re:IE is too forgiving by Kawahee · · Score: 4, Insightful
      This exploit isn't limited to IE, Safari also has this problem. And I'd probably attribute it to 'logical' coding
      pseudo-c code:

      if (tagname == "style" && tagtype == "text/css") {
      process_stylesheet (taginfo);
      } else if (tagname == "style") {
      switch (tagtype) {
      case "text/javascript":
      process_js (taginfo);
      break;
      }
      }


      But hopefully something less obvious that doesn't scream security flaw.
      --
      I'll subscribe to Slashdot when I see a month without a dupe, a typo, or an article the "editors" didn't read.
  11. Here's the Guys Explanation of his code by putko · · Score: 5, Informative

    Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

    And here is his version of the story.

    He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

    Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
    1. Re:Here's the Guys Explanation of his code by Kristoffer+Lunden · · Score: 4, Funny

      What's so wrong with joking with the North American Marlon Brando Look Alikes? I think they can take it. =)

      --
      Spine World
    2. Re:Here's the Guys Explanation of his code by Hosiah · · Score: 4, Funny
      Yeah, right.

      LOL No kidding! "Here's the home page of the guy famous for writing viral web code that infects your browswer, wanna go see it?" Golly, sounds like a swell idea, what's the worst that could happen?

  12. With a name like MySpace... by Eric+Giguere · · Score: 4, Funny

    ... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.

    Eric
    William Shatner boldly goes like no man has before
  13. samy is my hero by gr8n10zt · · Score: 5, Informative

    The scoop from himself: http://fast.info/myspace/

  14. In the beginning by Dogsbody_D · · Score: 3, Insightful

    This was bound to happen sooner or later, as MySpace repeats the history of the internet. Just look at the huge number of practically unreadable webpages with different size fonts and different colours, terribly innappropriate background images. Oh, and a load of commercial interests trying to stuff things down our throats. Loads of chicks though... ;)

  15. samy is my hero by zippity8 · · Score: 4, Informative

    Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.

    Samy's info on the topic (coral)
    His explanation of how it works

  16. And the phrase for self-replicating viruses was... by benhocking · · Score: 5, Funny

    And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

    --
    Ben Hocking
    Need a professional organizer?
  17. Don't you hate when you forget stuff? by UserGoogol · · Score: 4, Funny
    Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.
    FUCK! I knew I forgot to do something. I forgot to set the evil bit!
    --
    "Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
  18. Re:Day late, dollar short. by mwvdlee · · Score: 3, Insightful

    If /. sucks so much, why are you still here?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  19. XSS basics by flanker · · Score: 4, Informative

    Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.

    The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.

    In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.

    --
    Left shift 1 for e-mail...
  20. Obligatory... by kukickface · · Score: 3, Funny

    All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!

  21. Re:Well, people have been saying it's a security r by -kertrats- · · Score: 4, Insightful

    They don't have javascript enabled. As far as I can tell, he just used IE's magical ability to run broken code so that the browser would be able to piece together the mess he used, but Myspace wouldnt be able to tell it was javascript.

    --
    The Braying and Neighing of Barnyard Animals Follows.
  22. No irony was intended by benhocking · · Score: 4, Funny

    No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.

    --
    Ben Hocking
    Need a professional organizer?
    1. Re:No irony was intended by JasonKChapman · · Score: 5, Funny
      I think I'm gonna blame quantum tunneling.

      Blame Heisenberg. At any given time every key is either pressed or not until you hit "submit" and find out for sure.

      --
      Sorry, I'm a writer. That makes you raw material.
    2. Re:No irony was intended by CreatureComfort · · Score: 5, Funny


      Heisenberg? Wouldn't that be Schrodinger?

      Heisenburg just says that you can never really be sure where the keys actually are, or your fingers for that matter.

      --
      "Unheard of means only it's undreamed of yet,
      Impossible means not yet done." ~~ Julia Ecklar
    3. Re:No irony was intended by blincoln · · Score: 4, Funny

      I've been trying to slowly re-educate the local population.

      I have Schroedinger's wavefunction equation tattooed on my arm, and every time someone asks about it, I explain about the cat and the two-slit experiment. It would probably be more effective if I printed out pamphlets, because there isn't enough time to even explain the cat properly if a grocery-store clerk asks.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  23. Re:That's Irrevellant by Bogtha · · Score: 3, Insightful

    I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering.

    That's not the right attitude. The problem lies with web browsers that accept non-standard code.

    Malicious code comes in two flavours - code that is outright malicious, and code that is completely benign in browsers that conform to the W3C specifications, but is interpreted wrongly by some browsers to generate a malicious effect.

    The first type is easy to filter out, because you can go to the spec and see how things are meant to be interpreted, and from that determine what should be filtered out. The other type, though, is much harder to filter out, as you also need to be aware of all the little quirks and foibles of all browsers likely to be used to access your web application - something that isn't written down anywhere most of the time.

    For example, you might have written code that strips out HTML tags. That's fine, except some versions of Netscape Navigator 4.x treat entirely different Unicode characters as if they were < and >. As a web developer, you have no way of knowing about this unless you are privy to some of the most obscure browser trivia in the world, so unless you take a default deny policy and outlaw any non-ASCII characters (goodbye international visitors), you are likely to write code that is vulnerable to this attack - for Netscape 4 users.

    Now multiply that problem by all browsers in use today, and all the little quirks and deviations from spec. that they have, and you'll start to get an idea of why it's not feasible for web developers to be responsible for this problem, and why the responsibility lies at the browser developers' feet.

    --
    Bogtha Bogtha Bogtha
  24. Re:XMLHttpRequest by patio11 · · Score: 3, Informative

    What would encryping anything have accomplished, exactly? The problem isn't that someone intercepted a legitimate transfer in the middle and modified it to be evil. The problem is that one end of the legitimate transfer was compromised, and the other end of the legitimate transfer was too trusting of the input from the compromised end, and then happily passed along that input (perfectly legitimately) to other parties who were then compromised themselves.

    --
    Help poke pirates in the eyepatch, arr.
  25. Re:That's Irrevellant by TWX · · Score: 3, Informative

    And because of that, I still use Netscape 3.0 Gold on GUI machines, and I telnet to port 80 on console machines...

    ;)

    --
    Do not look into laser with remaining eye.
  26. Re:Quick and Dirty solution by arkanes · · Score: 5, Interesting
    This actually brings to mind something which has bugged me for a long time. Why the hell are JS dialogs modal?

    while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?

  27. About (2?) years ago by lupid · · Score: 5, Interesting

    I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.

    Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).

    Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D

  28. Re:And the phrase for self-replicating viruses was by Em7add11 · · Score: 3, Funny

    And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

    At my school, I think it was called "herpes".

  29. LiveJournal Took up the Responsibility by BobPaul · · Score: 4, Informative

    LiveJournal's cleanhtml.pl already covers multiline splits in IE. It's not like IE's interpretation of single tags split on mutiple lines hasn't been known about for quite some time.

    I completely agree that IE is the problem, but to say that this is something site administrators couldn't have been prepared for is untrue. To expect a self replicating javascript? No way. But to secure the filter to prevent multiline tags? Yes, cleanhtml.pl already does. It's known and out there already.

  30. How he did it by Sheepdot · · Score: 3, Informative

    From the horses's mouth:
    http://namb.la/popular/tech.html