Monday, December 19, 2005
Last words on that MySpace worm (GodOfTheNoose)
I was able to learn a lot about the XSS worm that affected MySpace a few days ago, and it was a neat little experience. Especially since I was able to take a real live look at it as it actually spread, and affected users. Here are some things that are definitely known:
1) The primary issue was an unsanitized variable by the name of "TheName" which allowed the execution of JavaScript code.
2) A JavaScript (.js) file, which turns out to be a modification of JS/Spacehero-A, was loaded (remotely, from a free host site) and executed under the victims browser.
3) A Flash (.swf) file was created to execute a GetURL() GET request, which included a script src to the JavaScript file mentioned in #2.
4) In the JavaScript file, there were requests to change first, last, and display names, a message from the author was also injected, and the Flash file was embedded into the victims profile.
In essence, visiting an infected profile got you infected. Now, before in my earlier post I said the worm was unsuccessful -- it turns out it did infect and inject itself into as many as 450,000 MySpace users. MySpace has clearly fixed the issue with the unsanitized variable, but as the author of the XSS worm told me -- there are many vectors of attack on the popular website.
One has to wonder though, both JS/Spacehero-A (Samy's worm) and the author of GodOfTheNoose (a variant of JS/Spacehero-A) were non-malicious pieces of code that went as far as editing contents of the victims profile. Will there ever be a situation where a malicious author takes it upon (him|her)self to automate deletions of victim accounts, profile contents, account details? Is MySpace doing anything to prevent further attacks? What can we learn from these mistakes, on behalf of the MySpace developers?
Fin. ¶ 12/19/2005 10:29:00 PM
1) The primary issue was an unsanitized variable by the name of "TheName" which allowed the execution of JavaScript code.
2) A JavaScript (.js) file, which turns out to be a modification of JS/Spacehero-A, was loaded (remotely, from a free host site) and executed under the victims browser.
3) A Flash (.swf) file was created to execute a GetURL() GET request, which included a script src to the JavaScript file mentioned in #2.
4) In the JavaScript file, there were requests to change first, last, and display names, a message from the author was also injected, and the Flash file was embedded into the victims profile.
In essence, visiting an infected profile got you infected. Now, before in my earlier post I said the worm was unsuccessful -- it turns out it did infect and inject itself into as many as 450,000 MySpace users. MySpace has clearly fixed the issue with the unsanitized variable, but as the author of the XSS worm told me -- there are many vectors of attack on the popular website.
One has to wonder though, both JS/Spacehero-A (Samy's worm) and the author of GodOfTheNoose (a variant of JS/Spacehero-A) were non-malicious pieces of code that went as far as editing contents of the victims profile. Will there ever be a situation where a malicious author takes it upon (him|her)self to automate deletions of victim accounts, profile contents, account details? Is MySpace doing anything to prevent further attacks? What can we learn from these mistakes, on behalf of the MySpace developers?
Fin. ¶ 12/19/2005 10:29:00 PM