Friday, October 14, 2005
The beginning of XSS worms
A MySpace user by the name of "Samy" figured out how to slip a XSS attack into a CSS tag. Thus, he was able to successfully exploit 1) a hole in myspace.com's coding, and 2) a large victim base. The attack doesn't seem to be executed by Firefox/Mozilla users, but IE/Opera/Safari and possibly other obscure browsers.
Instead of just stealing a few cookies belonging to victim users, he decided to try his luck at propagating the attack. In fact, he was not only able to have people add him automatically to their friends list, but also the XSS attack itself was written to the victims' own profile thus creating a worm. It spread to the hundreds, then to thousands, until it reached millions. After some time it was fixed up.
Here are some reading material to fill your interests:
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391
http://www.livejournal.com/community/evan_tech/150019.html (the code itself)
http://blog.outer-court.com/archive/2005-10-14-n81.html (an interview with the author) ¶ 10/14/2005 03:25:00 PM
Instead of just stealing a few cookies belonging to victim users, he decided to try his luck at propagating the attack. In fact, he was not only able to have people add him automatically to their friends list, but also the XSS attack itself was written to the victims' own profile thus creating a worm. It spread to the hundreds, then to thousands, until it reached millions. After some time it was fixed up.
Here are some reading material to fill your interests:
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391
http://www.livejournal.com/community/evan_tech/150019.html (the code itself)
http://blog.outer-court.com/archive/2005-10-14-n81.html (an interview with the author) ¶ 10/14/2005 03:25:00 PM