Teen Uses Worm to Boost Ratings on MySpace.com

Using a self-propagating worm that exploits a scripting vulnerabilitycommon to most dynamic Web sites, a Los Angeles teenager made himselfthe most popular member of community Web site MySpace.com earlier thismonth. While the attack caused little damage, the technique could beused to destroy Web site data or steal private information — even fromenterprise users behind protected networks, according to an Internetsecurity firm.

The unknown 19-year-old, who used the name “Samy,” put a small bit ofcode in his user profile on MySpace, a 32-million member site, most ofwhom are under age 30. Whenever Samy’s profile was viewed, the code wasexecuted in the background, adding Samy to the viewer’s list of friendsand writing at the bottom of their profile, “… and Samy is my hero.”

“This is an attack on the users of the Web site, using the Web siteitself,” said Jeremiah Grossman, chief technical officer at SantaClara, Calif.-based WhiteHat Security Inc.

The worm spread by copying itself into each user’s profile. Because ofMySpace’s popularity — it had 9.5 billion page views in September,making it the fourth most-popular site on the Web, according tocomScore Media Metrix — the worm spread quickly. On his Web sitehttp://namb.la/popular/, Samy wrote that he released the worm justafter midnight on Oct. 4. Thirteen hours later, he had added more than2,500 “friends” and received another 6,400 automated requests to becomefriends from other users.

“It didn’t take a rocket or computer scientist to figure out that itwould be exponential, I just had no idea it would proliferate soquickly,” Samy said in an e-mail interview posted Friday at GoogleBlogoscoped. “When I saw 200 friend requests after the first 8 hours, Iwas surprised. After 2,000 a few hours later, I was worried. Once ithit 200,000 in another few hours, I wasn’t sure what to do but to enjoywhatever freedom I had left, so I went to Chipotle and ordered myself aburrito. I went home and it had hit 1,000,000.”

Samy also received hundreds of messages from angry MySpace users. Hewasn’t contacted by officials from Los Angeles-based MySpace, thoughhis account was deleted. MySpace was purchased in July by RupertMurdoch’s News Corp. for us$580 million. MySpace didn’t return requeststo comment.

The attack depended on a long-known but little-protected vulnerabilitycalled cross-site scripting (XSS). XSS arises because many Web sites –apart from static sites that use only simple HTML code — are dynamic,allowing users to manipulate Web site source code.

Web sites and Web browsers such as Internet Explorer and Firefox try toblock such XSS holes, said Grossman. But the vulnerabilities continueto exist, for which he blames both the browser creators and the Website operators.

Standard enterprise network security tools such as firewalls, antivirusand Secure Sockets Layer don’t thwart XSS and other Web applicationattacks because the affected user is already behind his firewall, saidGrossman, whose 14-person firm consults businesses on how to preventsuch attacks.

“The network is pretty locked down. But all of the new attacks aretargeting where nobody is looking — the Web application layer,” hesaid.

Other Web application-layer break-ins include a case earlier this yearwhere more than a hundred applicants to Harvard Business School got anearly peek into their admission files by simply modifying the URL typedinto their browser address box. In a more serious phishing attack lastyear, someone injected code into SunTrust Banks Inc.’s Web sitedesigned to send e-mails from SunTrust’s Web site asking accountholders for account details.

An early version of an XSS-related vulnerability was discovered inHotmail in 2001. That flaw allowed an attacker to send an e-mail withmalformed HTML code to a Hotmail user, whose browser would interpretthe broken commands as legitimate script that would tell the Web siteto steal the user’s private information.

Grossman said most such cases go unreported.

While both Firefox and Internet Explorer promise security enhancementsin upcoming versions, Grossman said he doubts they will entirely fixthe XSS problems.

By Eric Lai – Computerworld (US online)