From Nate Mook’s “Cross-Site Scripting Worm Hits MySpace” (Beta News: 13 October 2005):
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.
How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user’s profile, creating a replicating worm. “So if 5 people viewed my profile, that’s 5 new friends. If 5 people viewed each of their profiles, that’s 25 more new friends,” Samy explained.
It didn’t take long for friend requests to start rolling in – first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.