Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to del.icio.us  
XSS worm hits Myspace.com
Published: 2005-10-19

A self-propagating cross-site scripting (XSS) worm affected a million profiles on Myspace.com earlier this month, and security experts are concerned this could be the start of a new trend.

The process began when a Myspace.com user, going by the name of “Samy” placed Javascript code in his profile. When other Myspace.com users would view Samy’s profile, the code would initiate a background request (via Ajax) to add Samy to that user’s friend list – bypassing the typical approval process. The next step in the process made the code self-replicating. This involved parsing out the code being executed and copying it to the viewing user’s profile. The process would then repeat at the next view of the newly infected user’s profile, according to an interview with Samy on Google Blogoscoped.

The spread of the virus limits itself to the Web site and can essentially create a denial-of-service attack, because of the exponential growth of the attacker's friends list, Adam Biviano, a senior systems engineer at Trend Micro Australia, told ZDNet News.

Although the worm is not a risk to other sites, site administrators would be wise to keep a close eye on potential XSS vectors, as the threat from worms that use community sites is only increasing.

Posted by: Peter Laborge
    Digg this story   Add to del.icio.us  
 
Comments Mode:
RE: Web Application Security 2005-10-25
DigitalStakeout







 

Privacy Statement
Copyright 2009, SecurityFocus