MagicMtnDan
02-17-2006, 05:28 AM
On Tuesday, October 4 Samy, a 19-year-old guy from L.A., had a modest 73 friends on MySpace. At 12:34 p.m. he made an update to his profile. Eighteen hours later Samy had 1,005,831 friend requests—1 out of every 35 MySpace users—each and every one of whose profiles included the phrase "but most of all, Samy is my hero." So, how did he pull it off? All it took was a little JavaScript and a lot of ingenuity.
Samy figured out that while MySpace did a good job of keeping JavaScript code, which users could use to do all sorts of nasty things, out of all the usual places, one tiny hole allowed him to create a JavaScript worm that would cause any web browser viewing his profile to add him as a friend, add the hero line to their profile, and most importantly, add a copy of the same worm their profile.
An hour after Samy hit a million friends, MySpace went down for maintenance, and quietly came up again two and a half hours later, JavaScript hole patched. Sammy's run was over, but his mark still remains on hundreds of MySpace profiles.
Samy figured out that while MySpace did a good job of keeping JavaScript code, which users could use to do all sorts of nasty things, out of all the usual places, one tiny hole allowed him to create a JavaScript worm that would cause any web browser viewing his profile to add him as a friend, add the hero line to their profile, and most importantly, add a copy of the same worm their profile.
An hour after Samy hit a million friends, MySpace went down for maintenance, and quietly came up again two and a half hours later, JavaScript hole patched. Sammy's run was over, but his mark still remains on hundreds of MySpace profiles.