RSSCross-Site Scripting Worm Hits MySpace
By Nate Mook | Published October 13, 2005, 6:28 PM
With the advent of social networking sites, becoming more popular is as easy as crafting a few lines of JavaScript code, it seems.
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.
How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.
First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user profile page. But MySpace stripped out the word "javascript" from any text, which would be needed to execute code.
With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code within a Cascading Style Sheet tag.
The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a "hero" to the visitor's own profile page. To do this without a user's knowledge, the code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user's profile, creating a replicating worm. "So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends," Samy explained.
It didn't take long for friend requests to start rolling in - first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.
Samy says his intentions weren't malicious, but expressed concern that MySpace, which was purchased by News Corp. in July for $580 million, wouldn't see it that way. Company officials have not contacted him, but his account was deleted.
"My primary motivation was to make people laugh. I wanted a few friends to have my name appended to their list of heroes, including some of their own friends whom I don't know directly," Samy told BetaNews in an e-mail interview. "Me, a hero? That had to be the funniest joke people have heard in a while. Well, a lot more people heard it than I had really wanted."
Still, aside from remnant "samy is my hero" text strewn across the Internet's fifth largest Web site, the end result could end up positive.
The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Google employee Evan Martin even broke down the worm's AJAX code on his personal Web log.
"Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue," Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told BetaNews. "The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues."
"Those who do not, especially the on-line financial institutions and community Web sites, are prime targets," added Grossman. But Samy noted that MySpace isn't the only party to blame for the vulnerability, stating that browser makers also need to do a better job with security.
"MySpace has always properly filtered out valid JavaScript indications," Samy said, "however it was due to browser leniencies that allowed me to still get JavaScript to execute."
another reason. incompleted by now :) but ...
#!/usr/bin/perl
# moral.pl
use LWP;
#use LWP::RobotUA;
use HTTP::Cookies;
use HTML::TokeParser;
use IO::File;
use POSIX;
my $browser = LWP::UserAgent->new;
my $username = 'altino.joao@gmail.com';
my $pass = 'xpto';
#liga os cookies;
$browser->cookie_jar( HTTP::Cookies->new(
'file' => '/tmp/perl.myspace1.cookies',
# ficheiro dos cookies
'autosave' => 1,));
# header que vai com os requests, para simular o browser
my @header = (
'User-Agent' => 'Bruno Carreira browser bot',
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*',
'Accept-Charset' => 'iso-8859-1,*,utf-8',
'Accept-Language' => 'en-US',
);
my $url = 'http://viewmorepics.myspace.com:80/index.cfm?fuseaction=login.process';
# aceita redirectionamentos do browser
push @{ $browser->requests_redirectable }, 'POST';
print "comeca por auth o user\n";
# autentica perante o IC
my $response = $browser->post( $url,
[
email => $username,
password => $pass,
]
);
die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
unless $response->is_success;
die "Erro: tava a espera de HTML, nao de ", $response->content_type
unless $response->content_type eq 'text/html';
# print $response->content;
print "Faz uma pesquisa no site por GAJAS\n";
#$url = 'http://browse.myspace.com/index.cfm?fuseaction=browse';
#$url = 'http://browse.myspace.com/Browse.aspx?z=1';
$url = 'http://browseusers.myspace.com:80/Browse/Browse.aspx?z=1';
$response = $browser->post( $url ,
[
Gender => 'genderWomen',
minAge => '18',
maxAge => '35',
statusSingle => '1',
statusMarried => '0',
statusDivorced => '1',
statusSwingers => '1',
country => 'SW',
]
);
die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
unless $response->is_success;
die "Erro: tava a espera de HTML, nao de ", $response->content_type
unless $response->content_type eq 'text/html';
print "Comeca a adicionar os GRELOS aos meus contactos ... \n";
#print $response->content;
snif();
sub snif {
$p = HTML::TokeParser->new( \$response->content);
my $aux = 0;
while (my $token = $p->get_tag("a")) {
my $url = $token->[1]{href} || "-";
my $text = $p->get_trimmed_text("/a");
if ($text =~ /IMG/){
$response = $browser->get ($url , @header);
die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
unless $response->is_success;
die "Erro: tava a espera de HTML, nao de ", $response->content_type
unless $response->content_type eq 'text/html';
$p1 = HTML::TokeParser->new( \$response->content);
$url =~ /friendID=\d+?&Mytoken/;
my $userid = $&;
$userid =~ s/friendID=//;
$userid =~ s/&Mytoken//;
$url = 'http://www.myspace.com:80/index.cfm?fuseaction=invite.addfriend_check&friendID='.$userid;
$response = $browser->get ( $url, @header);
die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line unless $response->is_success;
die "Erro: tava a espera de HTML, nao de ", $response->content_type
unless $response->content_type eq 'text/html';
$url4 = 'http://www.myspace.com:80/index.cfm?';
my $temp = $response->content;
#print $temp;
# get hashcode[C
my $hashcode = $response->content;
$hashcode =~ m/ $hashcode,
friendID => $userid,
]
);
die "Erro: nao foi possivel sacar a url: $url4 -- ", $response->status_line unless $response->is_success;
die "Erro: tava a espera de HTML, nao de ", $response->content_type
unless $response->content_type eq 'text/html';
#sleep 2;
#print $response->content;
}
if (($text =~ /Next/) && ($aux == 1)) {
$url =~ m/\d/;
$response = $browser->post("http://browseusers.myspace.com:80/Browse/Browse.aspx",
[
page => $&,
]
);
# $response = $browser->get ($url , @header);
die "Erro: nao foi possivel sacar a url: $url -- ", $response->status_line
unless $response->is_success;
die "Erro: tava a espera de HTML, nao de ", $response->content_type
unless $response->content_type eq 'text/html';
snif();
$aux = 0;
} elsif (($text =~ /Next/) && ($aux == 0)) {
$aux++;
}
}
this is old, like i said at the begining. :) but...
I just want to leave a question.
Is this simulation of mouse clicks also an hack??? :)
Score: 0
|Im glad i read this article...this happened to me...he was entered into my hero's section as well and messing up my entire page...aka missing photos and such..didnt make me very happy...but w/e its only myspace i guess...ppl are just wierd =)
SoRRy for n e one else that experienced this immature act !!
**Jenn
Score: 0
|What a ****ing creep, we spend all our time making sure are running properly and some jerk
just ****s it up.
He should be drawn and quartered.
Score: 0
|It seems Yahoo is vulnerable to a similar XSS attack on it's My Yahoo website. I wonder how long it will be before someone writes a clever worm to exploit this vulnerability? http://www.alljer.com/yahoorssxss.htm has the full details
Score: 0
|MySpace is used by my 15-year old daughter several hours a day. It is a blog or diary site with the added bonus of e-mail amoung other users that borders IM or one huge chat room. This is very popular among her friends at school as it is a great work around for getting past my IM rules for her.
Score: 0
|Well at least it was someone with a moronic sense of humor instead of some jerk trying to steal someones info.
Score: 0
|This vunerability was reported and patched on beerco's sitespaces.net
If anybody finds that it hasn't been sufficiently patched, please contact "tux" the linux penguin on the site and file a bug report.
Score: 0
|So does anyone have a link to the script he used? Or does anyone want to mail to to pm_987 at yahoo dot com?
Score: 0
|And you want the script for...? Personal use I bet.
Score: 0
|myspace rules...help me find few girls(over18) down the block. meet up with them..the girls on the site are local and they all think with there vaginas :-)
Score: -1
|scumbag
Score: 0
|I have never even heard of myspace.
Score: 0
|im glad i have a web host that is nice enough to not allow anyone but me to insert anything into HTML files but me. Its called secure FTP access. My friend cant even get a file off my site because it tells him access is denied.
Score: 0
|Actually, you can do that with any server by setting the file permissions. It doesn't matter what protocol you use. If public access is set to 0, no one can see it in the web.
Score: 0
|LOL! I hate MySpace anyways....
Score: 0
|part of the problem is that we are using the 'net as a plain wire. The respective web pages and sites are responsable for maintaining security on what can only ever be platforms with imperfect knowledge.
The internet (and intranets for maintaining secure databases) should also keep the connections (instances of the various relationships) between objects.
This would enable DNS servers to immediately reject any and all connections that it is NOT supposed to keep.
Score: 0
|Why does Browser matter?...for all im concerned, an attacker can make their own browser cant they? OFF Topic: I made a site, and reading this makes me worried that is gonna get hacked...so anybody want to help me out that would be nice
Score: 0
|Just a guess here: your site probably isn't the kind that could be exploited by XSS.
Score: 0
|A little mean, but who would hack your site?
Score: 0
|I've never visited the site, but the article says MySpace blocks the word JavaScript so that you can't slap in some code.
I'm assuming that 'Samy' used (for example) "" followed by the vunerability code. Possibly IE is the only browser (wouldn't surprise me, but I hate IE so much I'm not even going to test it out) which will see this as an actual script tag and execute it. This way, MySpace is blocking the javascript tag, but IE's bad parsing will mean it is executed anyway.
Just a guess.
Score: 0
|Blech, now betanews can't parse my post properly and I cant edit it to say what it's meant to. Here's a reply with what I meant to say (guess I'll have to avoid any tags in case it ****s up again).
MySpace blocks JavaScript and Script tags so that you can't slap in some bad code.
Samy used a CSS tag, then instead of using CSS stuff, simply put in half the JavaScript tag on one line, and the other half on the next line.
This should not be parsed as javascript code, it should be parsed as invalid CSS code, but since IE likes broken code, it will go ahead and execute it anyway.
So any users who are on IE will be affected by this. It's not really a bug in MySpace, more like a bug in IE will can be exploited on MySpace.
Score: 0
|That's kinda what I was saying, but I was trying to be a little bit nicer.
Score: 0
|A hacker could make his own browser, but he'll be the only one using it, not the millions of other users that became Samy's friend. In this case, a custom browser wouldn't do the trick.
Score: 0
|Most hacking is done robotically, as in the above worm. It doesn't care whether you're Microsoft or some guy out in the Ozarks with a 14 MB hard drive. It'll try and hack you.
Score: 0
|ummm... yeah, but you have to have a system in place to be hacked in the first place. A simple HTML page with pictures and music playing in the background will not fall victim to XSS. The site actually has to DO something in order for an XSS exploit to even be possible.
Score: 0
|Why does Browser matter?...for all im concerned, an attacker can make their own browser cant they? OFF Topic: I made a site, and reading this makes me worried that is gonna get hacked...so anybody want to help me out that would be nice
Score: -1
|That is absolutely genius. I wish I'd thought of it. It's a harmless worm. That's the best kind.
Score: 0
|tell that to the folks that had to work odd hours to clean it up.
Score: 0
|Ok. So it was *almost* harmless.
Score: 0
|You might say it was... Mostly Harmless?
Score: 0
|It could even be viewed as a beneficial worm in that it opened up a lot of eyes to the problem so that it can now be fixed. I'd rather have Samy point out this security hole than a more malicious person.
Score: 0
|EXACTLY! I'd take 10 of such worms instead of 1 malicious worm with the same capabilities. It is a pain in the butt, but not nearly as bad as having to restore from backups and tighten security... At least now they have a 'heads-up' that it can be done... This could have been TONS worse than it was... Count yourselves lucky.
Score: 0
|Absolutely.
Score: 0
|Another reason to use FireFox as your primary browser
Score: 0
|Firefox what---I must have missed something. Since when did FireFox have anything to do with this?
Score: 0
|IE is the only browser vulnerable to this exploit.
Score: 0
|Any browser that allowed JavaScript code in CSS tags would be vulnerable, including Apple's Safari. Firefox may have been spared, but you should check that fact first :)
Score: 0
|Ah
I guess it was this phrase that mislead me: "With the help of Internet Explorer..."
Score: 0
|Wouldn't that mean "Another reason not to use Internet Explorer as your primary browser" then? What makes it a good reason to use Firefox?
Score: 0
|Yeah you're right. "Use Firefox" seems to be the IE-alternative catch-phrase these days.
Score: 0
|Well he probably would have designed his backdoor to attack Firefox, but seeing that 90% of the entire population of the planet uses Internet Explorer, it would have been a waste of time.
Score: 0
|Here is a paper that details the vector http://www.bindshell.net/papers/xssv.html
Score: 0
|I prefer Opera 8.50...especially since it's now free without ad/spy/mal ware ;-)
Score: 0
|I belive their is a setting in Firefox to dissable scripting.
Score: 0
|No, another reason to use OPERA as your primary browser. Anyone who uses Opera to visit MySpace would not have even found out about this worm until they read the story here or on Slashdot.
Score: 0
|Wow...quite interesting. Still, a scripting worm is a worm, and "Sammy" could still get in serious trouble...
Score: 0
|this is so genius! dang i so want to laugh louder but everyone at school walking by would stare at me funny x_X hehe more than usual, anyways
wasn't there an article citing errors to be exploited as the fault of the programmer? Hmm i might be off base, but there is something to be said here
Score: 0
|Haha what a farken legend.
Score: 0
|So "Sammy" is wrong for pointing out this security vulnerabilities in a harmless way? I guess it's better to let someone else to hack your bank account.
Score: 0
|he should have employed other ie vulnerabilities to establish a myspace botnet. P.S... Props to slashdot for putting naughty ideas in my head.
Score: 0
|A CELEBRITY hahahahahaha
Score: 0
|I just meant he might be in big _legal_ trouble for it--that's fact, not opinion. Should he get in trouble for it? That is the question
Score: 0
|