Security Information Vulnerability Research Security Blog

Cross-Site Scripting Worm Hits MySpace

October 14th, 2005 by , Filed under: Digest

As by hand of “god” – a worm that exploits a cross site scripting issue in MySpace has caused numerous users to become “infected” with a piece of javascript that would add them to the buddy list of “Samy”.

This worm comes a few days after we have published an article predicting the spread of such worms. We didn’t know it would happen so quickly, but hey, don’t say we didn’t warn you.

Maybe it will cause webmasters to regard cross site scripting as more than just an inconvenience.

Share
  • http://BeyondSecurity.com ik

    Now all we have to do is actually convince web administrators and developers to filter their input, escape it, and try to remove any chars they do not think necessary in the first place.

    In the last couple of days, I found in some friends open source web sites many XSS vulnerabilities, and it took me a lot of work to convince them to fix the vulnerabilities.

    So now we’re back to my own blog.

  • http://www.whiteacid.org WhiteAcid

    The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Google employee Evan Martin even broke down the worm’s AJAX code on his personal Web log.

    “Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue,” Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told BetaNews. “The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues.”

    Exactly my sentiments. It’s a good thing this was highlighted with a light hearted almost comical tone. Had someone made money off this I’d be pissed.

  • http://www.alljer.com/yahoorssxss.htm Jeremy

    It seems that Yahoo is also open to an XSS vulnerability through it’s RSS feeds. How’s long till someone codes an XSS worm to take advantage of this security hole. http://www.alljer.com/yahoorssxss.htm

  • Drew

    A whitepaper that goes into XSS viruses and worms is at http://www.bindshell.net/papers/xssv.html Strangely, it was written before samy.

  • Share







  • Categories


Security RSS Subscribe