Teen uses worm to boost ratings on MySpace.com
It did little damage but could point to broader vulnerabilities, says a security expert
Computerworld - Using a self-propagating worm that exploits a scripting vulnerability common to most dynamic Web sites, a Los Angeles teenager made himself the most popular member of community Web site MySpace.com earlier this month. While the attack caused little damage, the technique could be used to destroy Web site data or steal private information -- even from enterprise users behind protected networks, according to an security services firm.
The unknown 19-year-old, who used the name "Samy," put a small bit of code in his user profile on MySpace, a 32-million-member site, most of whom are under age 30. Whenever Samy's profile was viewed, the code was executed in the background, adding Samy to the viewer's list of friends and writing at the bottom of their profile, "... and Samy is my hero."
"This is an attack on the users of the Web site, using the Web site itself," said Jeremiah Grossman, chief technical officer at Santa Clara, Calif.-based WhiteHat Security Inc.
The worm spread by copying itself into each user's profile. Because of MySpace's popularity -- it had 9.5 billion page views in September, making it the fourth most popular site on the Web, according to comScore Media Metrix -- the worm spread quickly. On his Web site http://namb.la/popular/, Samy wrote that he released the worm just after midnight on Oct. 4. Thirteen hours later, he had added more than 2,500 "friends" and received another 6,400 automated requests to become friends from other users.
"It didn't take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly," Samy said in an e-mail interview posted Friday at Google Blogoscoped. "When I saw 200 friend requests after the first 8 hours, I was surprised. After 2,000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn't sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000."
Samy also received hundreds of messages from angry MySpace users. He wasn't contacted by officials from Los Angeles-based MySpace, though his account was deleted. MySpace was purchased in July by Rupert Murdoch's News Corp. for $580 million. MySpace didn't return requests to comment.
The attack depended on a long-known but little-protected vulnerability called cross-site scripting (XSS). XSS arises because many Web sites -- apart from static sites that use only simple HTML code -- are dynamic, allowing users to manipulate Web site source
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts