初のAjaxワームといわれたsamyのページ。
おれって有名、というタイトル、samyがヒーローTシャツ、と浮かれている。
I'm Popular
I'll never get caught. I'm Popular., 10/04/05, -samy
(technical explanation and actual code here)
クロスサイトスクリプティングでMySpace内を大増殖した。
以下、経緯とコードの詳細説明。
タグや引用符がブロックされてしまうため、eval関数の利用、エンコーディング、キーワードの分割、などを使ってスクリプトをすり抜けさせた手口が詳しく説明されている。
例えば、eval('xmlhttp.onread' + 'ystatechange = callback')
--------------------------------------------------------------------------------
Press:
'samy is my hero' T-Shirts (I didn't make these)
more 'samy is my hero' t-shirts (didn't make these, either)
Slashdot | Cross-Site Scripting Worm Floods MySpace
Google Blogoscoped | Samy, Their Hero (interview)
BetaNews | Cross-Site Scripting Worm Hits MySpace (interview)
The Guardian | Ajax prepares for battle on the dark side
ZDNet | Samy opens new front in worm war
digg.com | Geek goes popular on Myspace
DownloadSquad | Top 10 Web Moments of 2005
WebProNews | When In Hacker Doubt, Have A Burrito
News.com | Samy opens new front in worm war
ZDNet Au | Web sites threatened by Samy worm
The Register | Web 2.0 worm downs MySpace
ComputerWorld | Teen uses worm to boost ratings on MySpace.com
WebProNews | The Web 2.0 MySpace Friend-Generating Worm
OuterCourt | How to Make 1 Million Friends on MySpace
RealTechNews | Hacker Makes Himself the Most Popular Person On MySpace
TechSpot | Teenager uses a Worm to promote a Site
The Age | Murdoch's MySpace knocked off the web
PC World | Teen Uses Worm to Promote Site
E-Scribe News | The MySpace Worm
LiveJournal | samy is my hero
Sophos | JS.Spacehero Worm Definition
Update 11/02/05: Today I learned that the same time my account got removed, so did "embed"s from people's profiles. That means no more music and movies playing when you view people's profiles.
New: Oh, and all the groups started by others and relating to this story have been deleted.
Update 11/01/05: My new account has been deleted/removed somehow. Oh well.
Update 10/19/05: No word from MySpace. But, a new profile has risen...and I promise there's no worm in it.
http://www.myspace.com/33934660
--------------------------------------------------------------------------------
A few months back, I decided to make a permanent myspace account so that I could easily view pictures of random, hot girls whenever I please without creating a new account each time. I also had a number of friends on there and figured I would see what all the hype was about. Myspace is a site for keeping up with friends, meeting new people, and even getting laid (sorry ladies, I'm taken.) It allows you to set up a profile/web page with a limited ability to make it look and feel how you wanted. Too limiting. I couldn't even fit a good line into my "headline" without taking words out and sounding like G.W.B. trying to respond to an arbitrary question. Hell, I couldn't even fit more than 12 glamour shots on my photos page. Like an illegal alien with a plan, I ventured to evade these limiting borders.
I began to examine the site some more, seeing how they restrict things, what they restrict, taking some breaks to look at profiles of really hot girls, trying to add them as friends and getting rejected, and getting back to making my profile cool so that they would add me as a friend later. Chicks dig cool profiles. After a little bit of messing around, I found that I could put in a longer headline than what they allowed. Hell, I could even get around their other restrictions and get HTML in there in order to add cool "effects" to my page that other people can't add. Yeah, that will get me chicks. Girls want guys who have computer hacking skills.
Let's see here...what would make my profile rock. Well, the most popular profiles on myspace pretty much consist of people with the IQ and English delivery skills of Kanye West so I don't want to mimic those, but popularity begets popularity. I need some more friends. I need people to love me. I delved into the bug and found that I could basically control the web browsing of anyone who hit my profile. In fact, I was able to develop something that caused anyone who viewed my profile to add my name to their profile's list of heroes. It's villainous. I was ecstatic.
But it wasn't enough. I needed more. So I went deeper. A Chipotle burrito bol and a few clicks later, anyone who viewed my profile who wasn't already on my friends list would inadvertently add me as a friend. Without their permission. I had conquered myspace. Veni, vidi, vici.
But it wasn't enough.
If I can become their friend...if I can become their hero...then why can't their friends become my friend...my hero. I can propagate the program to their profile, can't I. If someone views my profile and gets this program added to their profile, that means anyone who views THEIR profile also adds me as a friend and hero, and then anyone who hits THOSE people's profiles add me as a friend and hero... So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends. And after that, well, that's when things get difficult. The math, I mean.
Some people would call this a worm. I call it popularity. Regardless, I don't care about popularity, but it can't hurt, right?
