Wednesday, October 19th, 2005

Sammy, uses Ajax techniques to bring down myspace.com

Category: Editorial

I didn’t know whether to give Samy, Their Hero any more fame, but figured it was elsewhere.

If you hadn’t heard a chap used JavaScript in a hack that set of a worm on myspace.com.

In this interview, Samy talks about how he did it:

The hole was actually not in MySpace. To MySpace’s defense, they did a
great job of blocking malicious code, JavaScript, etc. The reason I was
still able to get JavaScript past their filters is by using browsers’
leniencies. With a little finagling, I could get JavaScript to execute
on some browsers, even though the actual code wasn’t valid. It was the
browsers that mistakenly executed JavaScript when they shouldn’t have.

The basic approach was this:

  1. The code was first placed in my profile. Once anyone viewed my
    profile, they would unknowingly execute the code.
  2. Upon executing the code, it would add me as one of their friends.
    This normally requires their approval, but this was all done in the
    background via Ajax. It required multiple GETs and POSTs in order to obtain all the
    information necessary, such as random hashes, to approve the friend request.
  3. It would additionally GET their own profile, grab their list of
    heroes if they had any in their profile, and append me as a hero.
    Specifically, it would append “but most of all, samy is my hero.”
  4. The most important step is then having the code reproduce itself.
    It would grab the content of the profile they’re viewing, parse out the actual
    code that was being executed, and then append that to the heroes as well.
  5. The whole process starts over any time anyone views the newly infected
    user’s profile.

There were several complexities I had to overcome since MySpace does
a great job of stripping out JavaScript, necessary quotes, Ajax functions,
etc. The code had to be written in such an obfuscated manner to actually get past
their filters, including getting it to propagate past MySpace’s own
HTML-rewriting that occurs. A more detailed explanation of the
hurdles is available.

Oh man, now we will to face all of the “Ajax is evil it creates worm” crud :/

Yes. don’t let people run any old JavaScript. Make sure you can’t bypass security through extra requests, etc etc.

Posted by Dion Almaer at 12:17 pm
6 Comments

+++--
3.3 rating from 6 votes

6 Comments »

Comments feed

Friends don’t let friends run IE. IE has so many holes in where it will allow Javascript you basically can’t let people run any html without being in danger. (this includes places you might not think about, such as rss aggregators.)- check out http://ha.ckers.org/xss.html for the full scary list

(still seeing this weird cursor ahead of where you type thing on firefox osx :/ )

Comment by Alex Bosworth — October 19, 2005

gotta luv myspace, its a complete negation of everything these listapart etc design weenies cling to. its the absolute most butt-ugly, useability-challenged morass, yet it netted $400 million. meanwhile particletree is trying to sell me pdfs of interviews with other design weenies for $15 a year.

Comment by grumpY! — October 19, 2005

I thought the whole thing was actually pretty entertaining. I don’t see Ajax getting blamed for this, as there are more than one way he could have gotten this to work.

Alex, I’m not sure that it was IE-only (it uses document.all, but FF supports that now).

Comment by David — October 19, 2005

Does FireFox have the bug where you can put javascript in style? It wouldnt’ surprise me, but I didn’t know that it did.

If you read about all the xss attack vectors that are out there, I wouldn’t be surprised if even this comment system were vulnerable.

The really big deal with the myspace style attack is that on IE once you can run arbitrary script you can do a lot more than just put ‘alex is my hero’ on other people’s user pages, especially if they are not up to date with their browser.

Comment by Alex Bosworth — October 19, 2005

It’s essential a javascript injection attack. javascript isn’t stripped by MySpace’s filter.
The AJAX aspect is of little practical importance imo, although it’s cool and geeky (self-replicating), but you could as well use the javascript to steal the users’ cookies and credentials…

Comment by Julien Couvreur — October 19, 2005

In the previous comment, I meant “java-newline-script”, but the brackets got stripped when I posted the comment.

Comment by Julien Couvreur — October 19, 2005

Leave a comment

You must be logged in to post a comment.