Samy is my hero

This story has been getting quite a bit of press over the last few days especially in web development/PHP/security communities. Basically some guy managed to write a “worm” in Javascript for the MySpace website. Using weaknesses in the handling of Javascript by some browsers such as Internet Explorer and technologies such as XmlHttpRequest, the worm made anyone who viewed his profile automatically add him to their friends list. Additionally, the script or “worm” would also add itself to that user’s profile page and replicate itself. 

The worm replicated exponentially and it took about 5 hours to get 1,000,000 friends. There is a technical explanation of the worm on the website and an interview with the worm author at Google Blogoscoped. Quite an interesting and quite funny account of the events. It’s quite a useful read if you develop web applications too. The SafeHTML library which I use to validate all my HTML input seems to be immune 🙂 If anything, this worm shows that XSS is something that needs to be taken seriously.

Leave a Reply

Your email address will not be published. Required fields are marked *