About Me
I'm Paul Bissex. I build web applications using open source software, especially Django. In the '90s I did graphic design for newspapers and magazines. Then I wrote technology commentary and reviews for Wired, Salon.com, Chicago Tribune, and lots of little places you've never heard of. Then I taught photographers how to create good websites. I co-wrote a book along the way. Now I am helping turn a giant media corporation into a digital enterprise. Feel free to email me.
Book
I'm co-author of "Python Web Development with Django", an excellent guide to my favorite web framework. Published by Addison-Wesley, it is available from Amazon and your favorite technical bookstore as well.
Colophon
Built using Django, served by Apache and mod_wsgi. The database is SQLite. The operating system is FreeBSD, on a VPS hosted at Johncompanies.com. Comment-spam protection by Akismet. Vintage topo imagery from the Maptech archive. The markup engine is Markdown.
Pile o'Tags
Stuff I Use
Akismet, bitbucket, del.icio.us, Django, Emacs, FreeBSD, Git, jQuery, LaunchBar, Markdown, Mercurial, OS X, Postfix, Python, Review Board, S3, SQLite, TextMate, Ubuntu Linux
Spam Report
At least 184813 pieces of comment spam killed since January 2008, mostly via Akismet.
The MySpace worm
Via Rafe I learned of an astounding Javascript hack done by a MySpace user. Excerpts from the summary, allegedly written by the creator:
...anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission.
8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.
9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit.
7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize.
Funny, but scary too. So it goes with such worms. A clever idea goes terribly wrong and has consequences thousands of times more extensive than the creator imagined.
The Ajaxy bits of Web 2.0 that bring us an increase in client-side power also open up new vistas of malware. A post on Google Blogoscoped (which calls the worm "truly Web 2.0") links to an example of the exploit code; reading that code really makes it sink in. A Javascript one-liner brought down one of the most popular sites on the web. (Also see comments here that clarify some of the technical details.)
Cross-site scripting (XSS) is now about a hell of a lot more than misleading alert boxes or tricky links. The Wikipedia article on XSS divides exploits into Level Type 0, Level Type 1, and Level Type 2. The description of Level Type 2 (the most severe) notes that it involves script code stored on the server (as in this case), but says that the attacker "may not need to use the web application itself to exploit such a hole."
I'd say we now have a new type -- Level Type 3 -- in which the web application is an integral part of the exploit.
Update: The summary page above (which is actually just a framed wrapper for this page) has been partially rewritten. The third-person preamble which spoke of the perpetrator as an "acquaintance" is gone; now it's all in the first person. There's also a page with detailed technical notes on the hack, and a list of links to other sites where it's being discussed. Plus t-shirts, of course.
Very interesting, thanks. Before reading the details on the bindshell site I hadn't realized the role that lax parsing on the browser side played in all this. To absolutely sanitize user input against this kind of thing, you can't just remove well-formed code that's dangerous, you have to know about badly-formed code that will still work in some browsers (i.e. IE, aieee).
there is no "Level 3"..in fact there are no levels. Read the wikipedia entry a bit more carefully, and you'll see this fits Type 2 to a T. The profiles were stored on the server.
Try not to speculation on things that you have no idea about.
God I hate bloggers
"anon1" -- my mistake on the terminology, you're correct and I'll fix that in the post. As for my suggestion for a third type: Type 2 describes a situation where code is injected, and redisplayed. But if samy's code stopped there, it wouldn't have been a worm and we wouldn't be talking about it. His code went one more step -- it reinjected itself upon each client-side viewing. That's why I'm suggesting it's a new type.
I like MySpace a lot, but I really don't like the IM client. Instead I use the eBuddy client at www.ebuddy.com. It's very easy to use, everywhere available and you can even use different chats (like MSN, AOL, Yahoo, AIM, MySpace etc). Also on your mobile :) Highly recommended!
Post a comment
Thanks for reading! Please note: Your comment will not appear until approved, which may take a few hours or more. Spammers will be torpedoed.
Search
Twittering
Recent Posts
Booktools
2 comments
A different kind of URL shortener
4 comments
The syncbox
2 comments
Branching and merging in real life
8 comments
Recent Comments
Marko Knöbl
Understanding tuples vs. lists in Python
4 days ago
Marko Knöbl
Understanding tuples vs. lists in Python
5 days ago
Matt Stevens
Understanding tuples vs. lists in Python
73 days ago
Chirag
Understanding tuples vs. lists in Python
82 days ago
B.J. Justice
Trying to send eBay a message?
108 days ago
Feeds
RSS feedAtom feedOlder Posts
Credits
Copyright 2013
by Paul Bissex
and E-Scribe New Media
for a technical description on XSS viruses you should check out http://www.bindshell.net/papers/xssv.html