The Samy Worm - MySpace's Viral Nightmare

The Samy worm of 2005 remains one of the most famous XSS attacks in history, demonstrating the viral potential of stored XSS vulnerabilities. Created by Samy Kamkar, this self-propagating worm exploited multiple XSS vulnerabilities in MySpace to become the fastest-spreading virus at the time. Within just 20 hours, the worm infected over one million user profiles, forcing MySpace to temporarily shut down the entire platform to contain the damage.

The worm's technical sophistication lay in its ability to bypass MySpace's security filters. MySpace had blacklisted obvious JavaScript injection attempts, blocking script tags and event handlers. However, Kamkar discovered that Internet Explorer allowed JavaScript execution within CSS properties using the expression() function. He crafted a payload that used this CSS-based JavaScript execution along with other filter evasion techniques. The worm's code would execute when anyone viewed an infected profile, automatically adding Samy as a friend and appending "but most of all, samy is my hero" to the victim's profile.

What made the Samy worm particularly clever was its self-replicating mechanism. After infecting a profile, it would copy itself into the victim's profile, ensuring exponential spread. Each infected profile became a new infection vector, creating a cascade effect that quickly overwhelmed MySpace's infrastructure. While the worm itself was relatively harmless – it didn't steal data or cause permanent damage – it demonstrated the devastating potential of XSS vulnerabilities in social platforms. The incident led to criminal charges against Kamkar and fundamentally changed how social media platforms approach security.