Last words on that MySpace worm (GodOfTheNoose)
I was able to learn a lot about the XSS worm that affected MySpace a few days ago, and it was a neat little experience. Especially since I was able to take a real live look at it as it actually spread, and affected users. Here are some things that are definitely known:
, was loaded (remotely, from a free host site) and executed under the victims browser.
3) A Flash (.swf) file was created to execute a GetURL()
In essence, visiting an infected profile got you infected. Now, before in my earlier post I said the worm was unsuccessful -- it turns out it did infect and inject itself into as many as 450,000 MySpace users. MySpace has clearly fixed the issue with the unsanitized variable, but as the author of the XSS worm told me -- there are many vectors of attack on the popular website.
One has to wonder though, both JS/Spacehero-A (Samy's worm) and the author of GodOfTheNoose (a variant of JS/Spacehero-A) were non-malicious pieces of code that went as far as editing contents of the victims profile. Will there ever be a situation where a malicious author takes it upon (him|her)self to automate deletions of victim accounts, profile contents, account details? Is MySpace doing anything to prevent further attacks? What can we learn from these mistakes, on behalf of the MySpace developers?