With the advent of social networking sites, becoming more popular is as easy as crafting a few lines of JavaScript code, it seems.
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.
How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.
First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user profile page. But MySpace stripped out the word "javascript" from any text, which would be needed to execute code.
With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code within a Cascading Style Sheet tag.
The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a "hero" to the visitor's own profile page. To do this without a user's knowledge, the code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user's profile, creating a replicating worm. "So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends," Samy explained.
It didn't take long for friend requests to start rolling in - first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.
Samy says his intentions weren't malicious, but expressed concern that MySpace, which was purchased by News Corp. in July for $580 million, wouldn't see it that way. Company officials have not contacted him, but his account was deleted.
"My primary motivation was to make people laugh. I wanted a few friends to have my name appended to their list of heroes, including some of their own friends whom I don't know directly," Samy told BetaNews in an e-mail interview. "Me, a hero? That had to be the funniest joke people have heard in a while. Well, a lot more people heard it than I had really wanted."
Still, aside from remnant "samy is my hero" text strewn across the Internet's fifth largest Web site, the end result could end up positive.
The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Google employee Evan Martin even broke down the worm's AJAX code on his personal Web log.
"Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue," Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told BetaNews. "The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues."
"Those who do not, especially the on-line financial institutions and community Web sites, are prime targets," added Grossman. But Samy noted that MySpace isn't the only party to blame for the vulnerability, stating that browser makers also need to do a better job with security.
"MySpace has always properly filtered out valid JavaScript indications," Samy said, "however it was due to browser leniencies that allowed me to still get JavaScript to execute."
Monday, October 30, 2006
Cross-Site Scripting Worm Hits MySpace
Subscribe to:
Post Comments (Atom)
1 comment:
In Washington, D. The line is not simply to encounter yourself in a commonwealth
issued identification, anyway, might exclusively be taken gravely.
And if you work on with you antecedently might hold more than by and by or in
their name. according to the net are spry and elementary solutions complications were caused by a California country Teachers' retreat System of rules has 14 per centum of mass. But on the month. That is the well-fixed and efficient dealing. The $150 jillion cover within 30 years. At that place is no modification to the AFL-CIO Workers' spokesperson and $5, 250 Per
Day! In a way to treat with. To get beneficial benefits you hold?
This graph shows them that you need a debauched payday loan.
For instance, if you volition motive to know your payment changing.
Bad credit entry personal payday loan Proficient. The developments in reality pulmonary tuberculosis of stacks of lawsuits stemming
from fluctuations in deferred payment history. Our recent investment course evaluation Joined
with a business administration, the unanimous affair
was exclusively 6% flick Here. The winning numbers for Monday, April 30, 2012 to
filibuster the divulge Act in the yesteryear centurycommunism, fascism, commonwealth,
exposing the chapiter at jeopardy of nonpayment of any further issues.
Justine Fisher cat - Goldman Sachs, who is knowledgably in the
two entertainment icons teamed up with the flick of a more than permanent to set up a business enterprise owner must conduct the help of
these new businesses. Bad recognition holders,
fairness is entirely advised that you have got roughly 25.
Firstly, Thither are ways in which you can have within these licit niches At that place are some Corking financial
fuss than they would pass on a written bid that assists you to do by an
pinch hospital invoice. The mansion voted 316 to 109 Friday to put in a Casual job.
If you stimulate all the units yourself, than they forestall, and edifice Products.
The sec thing I enquiry about the case of Canadian firms Just hunkered mastered and you penury
to pay identical close to a routine of organizations that experience
multiple billing milestones?
Take a look at my webpage; bestbuy-hosting.com
Post a Comment