Cross-Site Scripting Worm Floods MySpace

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

I find this amusing...

[Coocha]

I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other ./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?

Re:IE is too forgiving

[smooth wombat]

In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things

I once made a comment in the Firefox forums about the difference between the way IE and Firefox interpret web pages. IE believes that everyone is an idiot and will pat the designer on the head and fix the errors without telling you what you did wrong. Firefox on the other hand presumes you are reasonably competent at what you are doing and will let you know when you screw up.

Quick and Dirty solution

[ajs318]

My proposed "quick and dirty" solution is this.

<script type="text/javascript">
    for (i = 0; i < 1000; ++i) {
        alert("Disable JavaScript for this site!");
    };
    alert("OK ..... Don't say you weren't warned.");
</script>

Now you can be sure that  {almost*}  nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.

* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times.  Their computer probably is infected with several viruses already, though.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I find this amusing...

[jallen02]

Its amazing to me that the site was sold for $580 million. Obviously technical annoyances didn't stop him from making an insane amount of money off the whole deal.

Oh and % is used in LIKE queries, that may be why its filtered?

Jeremy

Re:With myspace popularity, comes the problems

[ptomblin]

5. Image leeches. Whenever I see a lot of hits on one of my pictures on my web site, it's because some asshole at MySpace has embedded it in his page without asking permssion, without copying it, and without giving it any attribution.

Which is why I now have

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://..myspace.com/.*$ [NC]
RewriteRule .*\.jpg http://xcski.com/~ptomblin/leech.png [R,L]

in my Apache configuration.

Re:Quick and Dirty solution

[arkanes]

This actually brings to mind something which has bugged me for a long time. Why the hell are JS dialogs modal?

while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?

Not the first worm of that type

[TheLink]

Firstly it's on the same site :).

Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.

Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.

Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.

I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.

e.g.
<shieldson lock="randomstring" allowed="keyword,keyword,keyword" />
disallowed material disabled
<shieldsoff lock="randomstring"/>
state restored to before lock

Where keywords:
textonly = just text
basic = basic formatting <em> <b> <i> <strong>
tables = tables
urls= plain <a href=""> no javascript etc
images= plain images, no javascript etc.
java=java
javascript=javascript.

The idea is it will be very hard for the attacker to guess the random string.

Oh well...

About (2?) years ago

[lupid]

I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.

Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).

Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D

Re:That's Irrevellant

[radtea]

responsibility lies at the browser developers' feet.

Users want browsers that will render their webpages, including pages they author themselves. Because the average person is not capable of writing a web page that parses, and many tools for writing web pages generate invalid HTML, any standards-compliant browser will not render most of the web. Try running your own web pages through SP using any W3C HTML DTD and see what I mean.

The situation is an artefact left over like a minefield from the browser war in the '90's. If either Netscape or Microsoft had focused in standards-compliance they would have lost market share. It is likely that both companies were actively trying to break standards as a means of locking in users.

Now that things have settled down Microsoft is the only corporate player with an ongoing interest in locking in users, but users are still going to expect browsers to render everything, no matter how malformed. Users experience any failure to render as a browser problem, not an authoring problem. As such, it is going to be difficult to get the web as a whole to be standards-compliant.

One of the fundamental laws of human behaviour was most clearly enunciated by Han Solo: "It's not my fault! It's not my fault!" We can sit back and say that any user of IE deserves to get burned by exploits, or that anyone authoring an invalid web page deserves to not get page views, but the Darwinian market is fundamentally a mechanism for humans to shift blame for their own failures onto others, and users choose IE and users choose MySpace, so neither browser choice nor website choice will ever be accepted as the cause of user's problems.

Re:Quick and Dirty solution

[Anonymous Coward]

They are not modal on Opera, although they will prevent any interaction with the tab that generated the alert, everything else works just fine - I can also use the tab bar or the window sidebar to close it or simply disable javascript at any time with the menu or F12.

Re:IE is too forgiving

[StillNeedMoreCoffee]

I have a 3d party site that brands its content for us but does it using and tags. The tag is forbidden by the W3C standard

http://www.w3.org/TR/REC-html40/struct/objects.htm l#h-13.2 [w3.org]

Notice "Start tag: required, End tag: forbidden"

Which is pretty unambiguous.

That sites response to letting them know that they were putting out "Forbidden" tags was to come up with a "Compatiability Matrix" for which browsers and vesions of browsers would work with there site.

This is unfortunately the attitude of many sites and site designers. If it works for I.E. then we are done. We just docuement the bug with a compatibility matrix and we are golden. The problem here is in the branding, if you have Netscape and some versions of Firefox and a few others, our company logo will not show.

My contention is if you have a product that only works for one browser you have a client server application not a web application.