Cross-Site Scripting Worm Floods MySpace 321
DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
Aww... (Score:5, Funny)
Go Samy! (Score:4, Funny)
Back in my day (Score:5, Funny)
Awsome (Score:5, Funny)
Re:XSS? (Score:5, Funny)
Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."
Re:Aww... (Score:5, Funny)
With a name like MySpace... (Score:5, Funny)
... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.
EricWilliam Shatner boldly goes like no man has before [ericgiguere.com]
And the phrase for self-replicating viruses was... (Score:5, Funny)
Don't you hate when you forget stuff? (Score:5, Funny)
Re:Here's the Guys Explanation of his code (Score:5, Funny)
Re:Back in my day (Score:5, Funny)
Obligatory... (Score:3, Funny)
Re:Day late, dollar short. (Score:2, Funny)
Unpatched security holes? (Score:3, Funny)
No irony was intended (Score:5, Funny)
Re:XSS? (Score:5, Funny)
Re:That's Irrevellant (Score:3, Funny)
How else could they block Javascript without eliminating the ability to post bits of code or psuedo-code for artistic or informational reasons? Even then it could probably be snuck in given that code doesn't really have any secret give away footprint that makes it possible to filter out.
About the only way to protect against such a problem is to block any browser from using the site that is to forgiving of bad web code. I'd imagine most other sites that let users post stuff others can read can be infected in a similar way.
I just hope the poor guy that wrote this code doesn't get in trouble. It doesn't sound as if he really knew how fast it'd grow and it was a much needed wakeup call to MySpace and the industry as a whole.
What we really need is for every major website to agree to a blanket anti-IE policy until IE is fixed, with like treatment for any other browser of similar shady quality (none that I can think of), where starting on a certain day all those sites redirect IE users to a site that'll help them download and install their choice of better browser. Firefox, Safari, Opera, or whatever (Lynx anyone?). Get the top ten websites to do that, with an explanation as to why, and you could change a high enough percentage of users over to make a permanent change. Hell, use those browser holes to make installing an alternate browser easy. Once directed to the site explaining the situation have the page offer the choice of available browsers each with an 'Install Now' button next to it. As soon as the user clicks the button install the new browser as the default browser and remove all shortcuts to IE. No need to figure out how to download and install anything after that one click.
Re:No irony was intended (Score:5, Funny)
Blame Heisenberg. At any given time every key is either pressed or not until you hit "submit" and find out for sure.
Re:No irony was intended (Score:5, Funny)
Heisenberg? Wouldn't that be Schrodinger?
Heisenburg just says that you can never really be sure where the keys actually are, or your fingers for that matter.
Re:Here's the Guys Explanation of his code (Score:5, Funny)
LOL No kidding! "Here's the home page of the guy famous for writing viral web code that infects your browswer, wanna go see it?" Golly, sounds like a swell idea, what's the worst that could happen?
Look on the bright side! (Score:3, Funny)
No kidding. But look on the bright side -- he has dramatically increased his chances of having at least one *very* close, long-term friend. Bubba, meet your new cellmail, "Samy."
Re:That's Irrevellant (Score:3, Funny)
j-a-v-a-s-c-r-i-p-t, with each character on a new line. It'd be pretty hard for a filter to catch something like that, though I suppose they could strip out newlines and whitespace as well and just look for character sequences.
What a pain in the butt though. Seems like M$ could just produce a browser that doesn't go out of its way to screw itself.
Re:And the phrase for self-replicating viruses was (Score:3, Funny)
At my school, I think it was called "herpes".
Re:No irony was intended (Score:5, Funny)
I have Schroedinger's wavefunction equation tattooed on my arm, and every time someone asks about it, I explain about the cat and the two-slit experiment. It would probably be more effective if I printed out pamphlets, because there isn't enough time to even explain the cat properly if a grocery-store clerk asks.
My Hero (Score:2, Funny)