NEWS FROM THE LAB - Thursday, July 27, 2006

Alert("Your new friend is a worm"); Posted by SGMasood @ 12:43 GMT

Sample of Samy worm code

Web Application Worms exploit persistent Cross Site Scripting (XSS) vulnerabilities in websites. It's a new category of malware and it's a growing concern for popular websites. Social Networking sites seem to be the most popular target as of now. MySpace has already been hit by two such worms - the Samy worm in October last year and last week's Flash worm. Samy was written by a guy who wanted to become popular on MySpace. So he designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. Last week's worm exploited a vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.

Last week MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.

All this piqued our interest and we decided to see how secure other popular social networking sites are against "wormable" XSS vulnerabilities. We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities.

Something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser expoit (maybe even a 0-day exploit) could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base...

Recommendations -

1. End users need to patch their machines. There's no excuse not to.
2. Web application developers must start taking security seriously. Yes, XSS issues are silly, easy to find and omnipresent. And XSS issues have stopped being funny for a long time now. They are a real danger with the advent of Phishing and Web Application worms that exploit a mass user base of millions of users within a very short time.

Of course, we have reported the issues to the affected websites and are working with them to get the issues fixed. And, of course, we aren't taking any names here.