E-Scribe : a programmer’s blog

About Me

PBX I'm Paul Bissex. I build web applications using open source software, especially Django. Started my career doing graphic design for newspapers and magazines in the '90s. Then wrote tech commentary and reviews for Wired, Salon, Chicago Tribune, and others you never heard of. Then I built operations software at a photography school. Then I helped big media serve 40 million pages a day. Then I worked on a translation services API doing millions of dollars of business. Now I'm building the core platform of a global startup accelerator. Feel free to email me.

Book

I co-wrote "Python Web Development with Django". It was the first book to cover the long-awaited Django 1.0. Published by Addison-Wesley and still in print!

Colophon

Built using Django, served with gunicorn and nginx. The database is SQLite. Hosted on a FreeBSD VPS at Johncompanies.com. Comment-spam protection by Akismet.

Pile o'Tags

Stuff I Use

bitbucket, Django, Emacs, FreeBSD, Git, jQuery, LaunchBar, Markdown, Mercurial, OS X, Python, Review Board, S3, SQLite, Sublime Text, Ubuntu Linux

Spam Report

At least 236325 pieces of comment spam killed since 2008, mostly via Akismet.

The MySpace worm

Via Rafe I learned of an astounding Javascript hack done by a MySpace user. Excerpts from the summary, allegedly written by the creator:

...anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission.

8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.

9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit.

7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize.

Funny, but scary too. So it goes with such worms. A clever idea goes terribly wrong and has consequences thousands of times more extensive than the creator imagined.

The Ajaxy bits of Web 2.0 that bring us an increase in client-side power also open up new vistas of malware. A post on Google Blogoscoped (which calls the worm "truly Web 2.0") links to an example of the exploit code; reading that code really makes it sink in. A Javascript one-liner brought down one of the most popular sites on the web. (Also see comments here that clarify some of the technical details.)

Cross-site scripting (XSS) is now about a hell of a lot more than misleading alert boxes or tricky links. The Wikipedia article on XSS divides exploits into Level Type 0, Level Type 1, and Level Type 2. The description of Level Type 2 (the most severe) notes that it involves script code stored on the server (as in this case), but says that the attacker "may not need to use the web application itself to exploit such a hole."

I'd say we now have a new type -- Level Type 3 -- in which the web application is an integral part of the exploit.

Update: The summary page above (which is actually just a framed wrapper for this page) has been partially rewritten. The third-person preamble which spoke of the perpetrator as an "acquaintance" is gone; now it's all in the first person. There's also a page with detailed technical notes on the hack, and a list of links to other sites where it's being discussed. Plus t-shirts, of course.

Thursday, October 13th, 2005
+ + +
7 comments

Comment from samual , 1 day later

for a technical description on XSS viruses you should check out http://www.bindshell.net/papers/xssv.html

Comment from Paul Bissex , 3 days later

Very interesting, thanks. Before reading the details on the bindshell site I hadn't realized the role that lax parsing on the browser side played in all this. To absolutely sanitize user input against this kind of thing, you can't just remove well-formed code that's dangerous, you have to know about badly-formed code that will still work in some browsers (i.e. IE, aieee).

Comment from anon1 , 3 days later

there is no "Level 3"..in fact there are no levels. Read the wikipedia entry a bit more carefully, and you'll see this fits Type 2 to a T. The profiles were stored on the server.

Try not to speculation on things that you have no idea about.

God I hate bloggers

Comment from Paul Bissex , 3 days later

"anon1" -- my mistake on the terminology, you're correct and I'll fix that in the post. As for my suggestion for a third type: Type 2 describes a situation where code is injected, and redisplayed. But if samy's code stopped there, it wouldn't have been a worm and we wouldn't be talking about it. His code went one more step -- it reinjected itself upon each client-side viewing. That's why I'm suggesting it's a new type.

Comment from Tommy! , 13 weeks later

Proxify Has Viruses too

Comment from t , 25 weeks later

cn u tell me how to get this worm to make me more popular?

Comment from Sandy , 23 months later

I like MySpace a lot, but I really don't like the IM client. Instead I use the eBuddy client at www.ebuddy.com. It's very easy to use, everywhere available and you can even use different chats (like MSN, AOL, Yahoo, AIM, MySpace etc). Also on your mobile :) Highly recommended!

Comments are closed for this post. But I welcome questions/comments via email or Twitter.