About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

Myspace CSRF and XSS Worm (Samy)

In the comments to my article on CSRF, someone questioned whether CSRF is really anything worth worrying about. Rather than give a hypothetical example, I can point to a real one that is getting some attention today:

This attack seems pretty harmless (I'd rather not discuss ethical concerns), but it demonstrates something very powerful - a combination of XSS and CSRF. If your site has XSS vulnerabilities, they can be used to launch much more effective CSRF attacks. Rather than only a small percentage of people being affected, everyone is, because the attacker is guaranteed that all victims have an established relationship with the target site, yours.

More information about XSS and CSRF can be found here:

About This Post

Myspace CSRF and XSS Worm (Samy) was posted on Thu, 13 Oct 2005 at 17:13:33 GMT.

13 Comments

1. Patrick Reilly's GravatarPatrick Reilly said:

I'd rather not discuss ethical concerns.... interesting.

Thu, 13 Oct 2005 at 18:19:06 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

I just mean that it's a separate conversation. :-) I'm more interested in raising awareness of CSRF and considering the viral nature of this attack.

Thu, 13 Oct 2005 at 18:19:56 GMT Link

4. Brad's GravatarBrad said:

So, what would be the simplest way to prevent this kind of attack in a PHP app?

Fri, 14 Oct 2005 at 04:44:41 GMT Link

5. Andrew van der Stock's GravatarAndrew van der Stock said:

Chris's article on CSRF prevention is about as simple as it gets.

I implemented a slightly more complex class than that as I needed to protect against the user pressing "back" - something they do on a regular basis :)

Andrew

Fri, 14 Oct 2005 at 05:37:33 GMT Link

6. samual's Gravatarsamual said:

There is a whitepaper on XSS viruses at http://www.bindshell.net/papers/xssv.html

Sun, 16 Oct 2005 at 15:48:57 GMT Link

7. Kedrick's GravatarKedrick said:

hey i really need to know how to get into myspace or yahoo mail without passwords willing to pay $$$ kedricknelson@yahoo.com

Sat, 04 Feb 2006 at 09:05:07 GMT Link

8. wesley's Gravatarwesley said:

About CSRF as a protection mechanism:

Can't the attacker read the responseText (ajax request to the form page), parse out the token, and then construct his POST request, effectively bypassing CSRF?

Mon, 14 Aug 2006 at 09:16:58 GMT Link

9. Chris Shiflett's GravatarChris Shiflett said:

Hi Wesley,

That's exactly what Samy did. Because of the same-domain restrictions on Ajax, the XSS vulnerability is what made this possible. (Samy was able to get his JavaScript to execute within the myspace.com domain, so he could use Ajax to request any page also within that domain.)

This is also why I think cross-domain Ajax presents new risks that must be considered:

http://shiflett.org/archive/250

Mon, 14 Aug 2006 at 13:42:25 GMT Link

10. wesley's Gravatarwesley said:

Thanks for the quick response, followup:

Doesn't IE6 (< SP1) allow you to manipulate any iframe source you want:

http://www.greymagic.com/security/a...ories/gm011-ie/

which will also break CSRF attacks and allow for cookies to be stolen.

Mon, 14 Aug 2006 at 15:11:46 GMT Link

11. Dan's GravatarDan said:

Really interesting stuff, i never heard about it, but i`m also not so deep in the "story" myspace but i think on all great platforms/communities are many problems with worms/hacks and spam it a matter of the kind.

Thu, 08 Mar 2007 at 10:29:34 GMT Link

12. Michael's GravatarMichael said:

i`m from germany and i dunno what the hell is "myspace" but after reading your article i looked in the web and found its a really popular community and it seems that myspace will start in germany too ...

Sun, 11 Mar 2007 at 11:18:35 GMT Link

13. Sam Miller's GravatarSam Miller said:

The virus is harmless but Samy was sentenced to three months of community service and two years blocked internet access and two years of probation. It is ridiculous how ignorant the legal system is.

Mon, 09 Jul 2007 at 22:30:56 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

Kiwi Foo Camp

12 - 14 Feb 2010

At Mahurangi College, Warkworth, New Zealand.

Webstock

15 - 19 Feb 2010

At Wellington Town Hall, Wellington, New Zealand.

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

New Comments

Sujoy wrote:

Chris, this is the first time I'm visiting your blog! Your 2009 Highlights is really great! Fanta...

Posted in 2009 Highlights
Giovanni wrote:

Hi Chris! First of all, my persona thanks for all your article about PHP security! it's really u...

Posted in The Truth about Sessions
Chris Shiflett wrote:

Thanks, John. Friendly and trustworthy are high compliments. Much appreciated. :-) Sorry about...

Posted in 2009 Highlights
Eric B wrote:

Hi Chris, Thanks for this clean, concise article on this topic. You are a life saver! -E

Posted in Guru Speak: Storing Sessions in a Database
Radoslav Stankov wrote:

wow, I looks like 2009 wasn't very boring year. p.s. I didn't know you too are Arsenal fan.

Posted in 2009 Highlights

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developers Handbook