Myspace CSRF and XSS Worm (Samy)

13 Oct 2005

In the comments to my article on CSRF, someone questioned whether CSRF is really anything worth worrying about. Rather than give a hypothetical example, I can point to a real one that is getting some attention today:

This attack seems pretty harmless (I'd rather not discuss ethical concerns), but it demonstrates something very powerful - a combination of XSS and CSRF. If your site has XSS vulnerabilities, they can be used to launch much more effective CSRF attacks. Rather than only a small percentage of people being affected, everyone is, because the attacker is guaranteed that all victims have an established relationship with the target site, yours.

More information about XSS and CSRF can be found here: