The MySpace worm

October 13, 2005

AJAX, JAVASCRIPT, RISKS, WEB DEVELOPMENT

Via Rafe I learned of an astounding Javascript hack done by a MySpace user. Excerpts from the summary, allegedly written by the creator:

…anyone who viewed my profile who wasn’t already on my friends list would inadvertently add me as a friend. Without their permission.

8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I’m surprised it even worked. 200 people have been infected in 8 hours. That means I’ll have 600 new friends added every day. Woah.

9:30 am: You have 74 friends and 480 friend requests. Oh wait, it’s exponential, isn’t it. Shit.

7:05 pm: A friend tells me that they can’t see their profile. Or anyone else’s profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize.

Funny, but scary too. So it goes with such worms. A clever idea goes terribly wrong and has consequences thousands of times more extensive than the creator imagined.

The Ajaxy bits of Web 2.0 that bring us an increase in client-side power also open up new vistas of malware. A post on Google Blogoscoped (which calls the worm “truly Web 2.0”) links to an example of the exploit code; reading that code really makes it sink in. A Javascript one-liner brought down one of the most popular sites on the web. (Also see comments here that clarify some of the technical details.)

Cross-site scripting (XSS) is now about a hell of a lot more than misleading alert boxes or tricky links. The Wikipedia article on XSS divides exploits into Level Type 0, Level Type 1, and Level Type 2. The description of Level Type 2 (the most severe) notes that it involves script code stored on the server (as in this case), but says that the attacker “may not need to use the web application itself to exploit such a hole.”

I’d say we now have a new type – Level Type 3 – in which the web application is an integral part of the exploit.

Update: The summary page above (which is actually just a framed wrapper for this page) has been partially rewritten. The third-person preamble which spoke of the perpetrator as an “acquaintance” is gone; now it’s all in the first person. There’s also a page with detailed technical notes on the hack, and a list of links to other sites where it’s being discussed. Plus t-shirts, of course.

samual commented on Sat Oct 15 05:22:02 2005:

for a technical description on XSS viruses you should check out http://www.bindshell.net/papers/xssv.html

Paul Bissex commented on Sun Oct 16 20:07:51 2005:

Very interesting, thanks. Before reading the details on the bindshell site I hadn’t realized the role that lax parsing on the browser side played in all this. To absolutely sanitize user input against this kind of thing, you can’t just remove well-formed code that’s dangerous, you have to know about badly-formed code that will still work in some browsers (i.e. IE, aieee).

anon1 commented on Sun Oct 16 22:35:15 2005:

there is no “Level 3”..in fact there are no levels. Read the wikipedia entry a bit more carefully, and you’ll see this fits Type 2 to a T. The profiles were stored on the server.

Try not to speculation on things that you have no idea about.

God I hate bloggers

Paul Bissex commented on Sun Oct 16 23:01:49 2005:

“anon1” – my mistake on the terminology, you’re correct and I’ll fix that in the post. As for my suggestion for a third type: Type 2 describes a situation where code is injected, and redisplayed. But if samy’s code stopped there, it wouldn’t have been a worm and we wouldn’t be talking about it. His code went one more step – it reinjected itself upon each client-side viewing. That’s why I’m suggesting it’s a new type.

Tommy! commented on Mon Jan 16 08:24:49 2006:

Proxify Has Viruses too

t commented on Tue Apr 11 05:25:43 2006:

cn u tell me how to get this worm to make me more popular?

Sandy commented on Wed Sep 19 10:09:19 2007:

I like MySpace a lot, but I really don’t like the IM client. Instead I use the eBuddy client at www.ebuddy.com. It’s very easy to use, everywhere available and you can even use different chats (like MSN, AOL, Yahoo, AIM, MySpace etc). Also on your mobile :) Highly recommended!