Cross-Site Scripting Worm Hits MySpace
October 14th, 2005 by noam, Filed under: Digest
As by hand of “god” - a worm that exploits a cross site scripting issue in MySpace has caused numerous users to become “infected” with a piece of javascript that would add them to the buddy list of “Samy”.
This worm comes a few days after we have published an article predicting the spread of such worms. We didn’t know it would happen so quickly, but hey, don’t say we didn’t warn you.
Maybe it will cause webmasters to regard cross site scripting as more than just an inconvenience.
-
Scan your web site for vulnerabilities with a Vulnerability Scanner - Be Safe!
Subscribe
Subscribe
Now all we have to do is actually convince web administrators and developers to filter their input, escape it, and try to remove any chars they do not think necessary in the first place.
In the last couple of days, I found in some friends open source web sites many XSS vulnerabilities, and it took me a lot of work to convince them to fix the vulnerabilities.
So now we’re back to my own blog.
Exactly my sentiments. It’s a good thing this was highlighted with a light hearted almost comical tone. Had someone made money off this I’d be pissed.
It seems that Yahoo is also open to an XSS vulnerability through it’s RSS feeds. How’s long till someone codes an XSS worm to take advantage of this security hole. http://www.alljer.com/yahoorssxss.htm
A whitepaper that goes into XSS viruses and worms is at http://www.bindshell.net/papers/xssv.html Strangely, it was written before samy.