About Me
My name is Paul Bissex, and e-scribe.com is my consulting business. I build web applications using as much open source software as possible. From September to June I teach web design and other important non-photographic professional skills to photographers. In the '90s I wrote technology commentary and reviews for magazines, newspapers, and web publications, including Wired, Salon.com, FamilyPC, the late lamented Web Review, and the Chicago Tribune. Feel free to email me.
Book Project
I'm co-authoring a book, "Python Web Development with Django", with Jeff Forcier and Wesley Chun. It will be published by Prentice Hall in July 2008, but is available for pre-ordering on Amazon now.
Colophon
This site is built on a fresh trunk checkout of Django, running on Python 2.5.1, served by Apache and mod_python. The database is SQLite. The operating system is FreeBSD, on a VPS hosted at Johncompanies.com. Comment-spam protection by Akismet. Vintage topo imagery from the Maptech archive.
Pile o'Tags
Stuff I Use
Akismet, del.icio.us, Django, dpaste.com, Emacs, FreeBSD, Freenode, jQuery, LaunchBar, MacPorts, Markdown, Mercurial, OS X, Postfix, Python, SQLite, Subversion, TextMate, Trac, Ubuntu Linux, wmii
(Finally!)
Copyright 2008
by Paul Bissex
and E-Scribe New Media
The MySpace worm
Via Rafe I learned of an astounding Javascript hack done by a MySpace user. Excerpts from the summary, allegedly written by the creator:
...anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission.
8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.
9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit.
7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize.
Funny, but scary too. So it goes with such worms. A clever idea goes terribly wrong and has consequences thousands of times more extensive than the creator imagined.
The Ajaxy bits of Web 2.0 that bring us an increase in client-side power also open up new vistas of malware. A post on Google Blogoscoped (which calls the worm "truly Web 2.0") links to an example of the exploit code; reading that code really makes it sink in. A Javascript one-liner brought down one of the most popular sites on the web. (Also see comments here that clarify some of the technical details.)
Cross-site scripting (XSS) is now about a hell of a lot more than misleading alert boxes or tricky links. The Wikipedia article on XSS divides exploits into Level Type 0, Level Type 1, and Level Type 2. The description of Level Type 2 (the most severe) notes that it involves script code stored on the server (as in this case), but says that the attacker "may not need to use the web application itself to exploit such a hole."
I'd say we now have a new type -- Level Type 3 -- in which the web application is an integral part of the exploit.
Update: The summary page above (which is actually just a framed wrapper for this page) has been partially rewritten. The third-person preamble which spoke of the perpetrator as an "acquaintance" is gone; now it's all in the first person. There's also a page with detailed technical notes on the hack, and a list of links to other sites where it's being discussed. Plus t-shirts, of course.
Very interesting, thanks. Before reading the details on the bindshell site I hadn't realized the role that lax parsing on the browser side played in all this. To absolutely sanitize user input against this kind of thing, you can't just remove well-formed code that's dangerous, you have to know about badly-formed code that will still work in some browsers (i.e. IE, aieee).
there is no "Level 3"..in fact there are no levels. Read the wikipedia entry a bit more carefully, and you'll see this fits Type 2 to a T. The profiles were stored on the server.
Try not to speculation on things that you have no idea about.
God I hate bloggers
"anon1" -- my mistake on the terminology, you're correct and I'll fix that in the post. As for my suggestion for a third type: Type 2 describes a situation where code is injected, and redisplayed. But if samy's code stopped there, it wouldn't have been a worm and we wouldn't be talking about it. His code went one more step -- it reinjected itself upon each client-side viewing. That's why I'm suggesting it's a new type.
I like MySpace a lot, but I really don't like the IM client. Instead I use the eBuddy client at www.ebuddy.com. It's very easy to use, everywhere available and you can even use different chats (like MSN, AOL, Yahoo, AIM, MySpace etc). Also on your mobile :) Highly recommended!
Post a comment
Comments use Markdown syntax. Your comment will not appear until approved, which may take a few hours or more. Spammers will be torpedoed.
Search
Feeds
RSS feedAtom feedRecent Posts
The iPhone keyboard doesn't suck
Python one-liner of the day
7 comments
How not to advocate via Google Code
2 comments
99 problems
3 comments
Recent Comments
bitmonk
Obscure "svn mv" problem solved
33 days ago
Charlie
Book news: Rough Cuts and Amazon
34 days ago
Simon Griffee
Django Mercurial mirror tweaks
51 days ago
Jason Calleiro
From PHP to Python
52 days ago
Yuli
dpaste.com
55 days ago
bruce
Neat Python hack: infix operators
59 days ago
David Reynolds
The original Lego Star Wars
67 days ago
Older Posts
Spam Report
At least 29896 pieces of comment spam killed since January 12th. Thanks are mostly due to Akismet.
for a technical description on XSS viruses you should check out http://www.bindshell.net/papers/xssv.html