Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Worm Floods MySpace

Posted by Zonk on from the why-would-you-want-to-do-anything-on-myspace dept.

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

17 of 321 comments (clear)

  1. XSS? by mindstrm · · Score: 5, Informative

    Is it really XSS if it's all happening at the same site? Just sayin.....

    XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.

    1. Re:XSS? by Skye16 · · Score: 5, Informative

      No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.

    2. Re:XSS? by ArsenneLupin · · Score: 5, Funny
      If slashdot allowed executable javascript in the comments, we'd have the same problem.

      Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

    3. Re:XSS? by ColaMan · · Score: 5, Funny

      you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter... ...... greatly improving their content.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
  2. Aww... by Anonymous Coward · · Score: 5, Funny

    Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.

    1. Re:Aww... by mikael · · Score: 5, Funny

      I bet he doesn't have over 1 million friends now.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  3. More info... by TheSync · · Score: 5, Informative

    Here is a recent paper on XSS viruses. Also there is an analysis of the specific MySpace worm.

    Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

    1. Re:More info... by Jerf · · Score: 5, Insightful
      And it gets through because stupid programmers persist in making two mistakes:
      1. Defining "badness" instead of "goodness"
      2. Trying to "clean up" invalid code
      The first one means that you try to list all of the ways that the input can be bad. The Universe is evil and it hates you. You can't list all the funky things that it can do to you. Instead, list the good things and carefully verify that the input is good.

      For a simple, but very very real-world example, don't write a rule that says "If the password contains /, =, or \, reject it." Write a rule that says "Passwords may contain only letters, numbers, and underscores." In the first case, especially in the brave new world of Unicode, you'll never enumerate all the bad things that can happen.

      The second mistake is that once you've decided that input is bad, do not try to clean it up. The process of cleaning it up may itself make it invalid in the case of something like HTML. Just reject it with a good error message and let the user take care of it.

      If that is absolutely impossible, preferably on the lines of "you'll be fired if you don't clean it up", then at the very least, you must continue to recursively run the cleanup code until the input converges (is unchanged by the cleanup code).

      It's not that it's absolutely impossible to get it right if you don't follow these rules, it's just that it's really freakin' hard. Slashdot, for instance, does seem to manage, but it took them a few iterations and ultimately, it's a low-priority site even if it does get hacked a little. Is your program that unimportant?

      It's way, way easier to define legit HTML (specific tags, no attributes usually though it's easy to let a few specific ones through, even with a handful of specific values) than it is to create a function to take any arbitrary string and make "safe" HTML out of it.
  4. Awsome by AForwardMotion · · Score: 5, Funny

    He'll probably get a lot of job offers from this.

  5. Here's the Guys Explanation of his code by putko · · Score: 5, Informative

    Here is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

    And here is his version of the story.

    He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

    Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
  6. samy is my hero by gr8n10zt · · Score: 5, Informative

    The scoop from himself: http://fast.info/myspace/

  7. And the phrase for self-replicating viruses was... by benhocking · · Score: 5, Funny

    And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

    --
    Ben Hocking
    Need a professional organizer?
  8. Re:Back in my day by FlopEJoe · · Score: 5, Funny

    Almost sad... hacking for online "friends." Like how my mother had to tie some liver to my collar to get the family dog to play with me :(

  9. Re:No irony was intended by JasonKChapman · · Score: 5, Funny
    I think I'm gonna blame quantum tunneling.

    Blame Heisenberg. At any given time every key is either pressed or not until you hit "submit" and find out for sure.

    --
    Sorry, I'm a writer. That makes you raw material.
  10. Re:No irony was intended by CreatureComfort · · Score: 5, Funny


    Heisenberg? Wouldn't that be Schrodinger?

    Heisenburg just says that you can never really be sure where the keys actually are, or your fingers for that matter.

    --
    "Unheard of means only it's undreamed of yet,
    Impossible means not yet done." ~~ Julia Ecklar
  11. Re:Quick and Dirty solution by arkanes · · Score: 5, Interesting
    This actually brings to mind something which has bugged me for a long time. Why the hell are JS dialogs modal?

    while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?

  12. About (2?) years ago by lupid · · Score: 5, Interesting

    I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.

    Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).

    Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D