About Me

PBX My name is Paul Bissex, and e-scribe.com is my consulting business. I build web applications using as much open source software as possible. From September to June I teach web design and other important non-photographic professional skills to photographers. In the '90s I wrote technology commentary and reviews for magazines, newspapers, and web publications, including Wired, Salon.com, FamilyPC, the late lamented Web Review, and the Chicago Tribune. Feel free to email me.

Book

I'm co-author of "Python Web Development with Django", an excellent guide to my favorite web framework. Its strong points include an introduction to Python, and better coverage of Django 1.0 than nearly anybody else. Published by Addison-Wesley, it is available from Amazon and your favorite technical bookstore as well.

Colophon

This runs on Django, served by Apache and mod_python. The database is SQLite. The operating system is FreeBSD, on a VPS hosted at Johncompanies.com. Comment-spam protection by Akismet. Vintage topo imagery from the Maptech archive. The markup engine is Markdown.

Pile o'Tags

Stuff I Use

Akismet, del.icio.us, Django, dpaste.com, Emacs, FreeBSD, Freenode, jQuery, LaunchBar, MacPorts, Markdown, Mercurial, OS X, Postfix, Python, SQLite, Subversion, TextMate, Trac, Ubuntu Linux, wmii

Spam Report

At least 58972 pieces of comment spam killed since January 2008, mostly via Akismet.

The MySpace worm

Via Rafe I learned of an astounding Javascript hack done by a MySpace user. Excerpts from the summary, allegedly written by the creator:

...anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission.

8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.

9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit.

7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize.

Funny, but scary too. So it goes with such worms. A clever idea goes terribly wrong and has consequences thousands of times more extensive than the creator imagined.

The Ajaxy bits of Web 2.0 that bring us an increase in client-side power also open up new vistas of malware. A post on Google Blogoscoped (which calls the worm "truly Web 2.0") links to an example of the exploit code; reading that code really makes it sink in. A Javascript one-liner brought down one of the most popular sites on the web. (Also see comments here that clarify some of the technical details.)

Cross-site scripting (XSS) is now about a hell of a lot more than misleading alert boxes or tricky links. The Wikipedia article on XSS divides exploits into Level Type 0, Level Type 1, and Level Type 2. The description of Level Type 2 (the most severe) notes that it involves script code stored on the server (as in this case), but says that the attacker "may not need to use the web application itself to exploit such a hole."

I'd say we now have a new type -- Level Type 3 -- in which the web application is an integral part of the exploit.

Update: The summary page above (which is actually just a framed wrapper for this page) has been partially rewritten. The third-person preamble which spoke of the perpetrator as an "acquaintance" is gone; now it's all in the first person. There's also a page with detailed technical notes on the hack, and a list of links to other sites where it's being discussed. Plus t-shirts, of course.

Thursday, October 13th, 2005
ajax + javascript + risks + web development
7 comments

Some related posts: How not to advocate via Google Code • An embarrassment of RichIAs • My first DOS • Meta-roundup of Javascript libraries • STFU • Trying to send eBay a message? • Baby steps with Ajax • JavaScript and the thickening client • Sort tables with sorttable.js • Windows Live Local

• Comment from samual , 1 day later

for a technical description on XSS viruses you should check out http://www.bindshell.net/papers/xssv.html

• Comment from Paul Bissex , 3 days later

Very interesting, thanks. Before reading the details on the bindshell site I hadn't realized the role that lax parsing on the browser side played in all this. To absolutely sanitize user input against this kind of thing, you can't just remove well-formed code that's dangerous, you have to know about badly-formed code that will still work in some browsers (i.e. IE, aieee).

• Comment from anon1 , 3 days later

there is no "Level 3"..in fact there are no levels. Read the wikipedia entry a bit more carefully, and you'll see this fits Type 2 to a T. The profiles were stored on the server.

Try not to speculation on things that you have no idea about.

God I hate bloggers

• Comment from Paul Bissex , 3 days later

"anon1" -- my mistake on the terminology, you're correct and I'll fix that in the post. As for my suggestion for a third type: Type 2 describes a situation where code is injected, and redisplayed. But if samy's code stopped there, it wouldn't have been a worm and we wouldn't be talking about it. His code went one more step -- it reinjected itself upon each client-side viewing. That's why I'm suggesting it's a new type.

• Comment from Tommy! , 13 weeks later

Proxify Has Viruses too

• Comment from t , 25 weeks later

cn u tell me how to get this worm to make me more popular?

• Comment from Sandy , 23 months later

I like MySpace a lot, but I really don't like the IM client. Instead I use the eBuddy client at www.ebuddy.com. It's very easy to use, everywhere available and you can even use different chats (like MSN, AOL, Yahoo, AIM, MySpace etc). Also on your mobile :) Highly recommended!