Google Blogoscoped

Thursday, October 13, 2005

How to Make 1 Million Friends on MySpace

Why do you get 2,533 results when you enter [ “samy is my hero"] into MSN search? Well, someone by the name of Samy wrote a social network popularity worm... and made over a million new friends, all of whom now had the text “but most of all, samy is my hero” in their self-description. The worm source code can still be seen in the Google Cache (just search for Samy’s user id 11851658 to jump to the relevant part).

I’m guessing these are the technicalities of what happened (I don’t know for sure): the MySpace programmers did the error of allowing GET requests to change states (only POST requests ought to be doing that*). In other words, simply by going to an infected MySpace page, those MySpace users who are logged in would add Samy – and his worm – to their own MySpace page as well. Note there’s even some Ajax/ XMLHTTP running in the background of the long one-liner script... this worm is truly Web 2.0. But Samy’s not all happy now, saying:

“I haven’t been worried about anything in years, but today I was actually afraid of the unknown. Afraid of myspace? No, afraid of FOX’s legal department. If you’re not aware already, myspace was purchased by FOX only a few weeks back for 580 million dollars. Not online myspace dollars, but actual cash that can buy strippers. (...) I don’t want FOX after me.

I spend the rest of the day working, trying to get the ideas of what could happen out of my head. I have my girlfriend visit me for lunch to say our goodbyes. I’m going to the big house. I could hear it then, “mr samy, you are hereby sentenced to an $800,000 fine and 3 years in jail for getting way too many friends on myspace and causing psychological damage to girls who thought they were your friends until you cancelled your account.”

*Not too long ago, Google’s own community site Orkut also allowed changes to take place with GET requests. Back then, a simple Iframe could make people join groups they never saw. However, the growth rate of that wasn’t exponential...

[Via Digg.]

Update: Evan Martin, a Google employee, writes it was actually a POST request as well. (And I was under the impression those needed at least a click to work, but Ajax seems to make it all possible.) So then we must blame it on MySpace allowing users to upload their own JavaScript, thus opening the doors for XSS (Cross Site Scripting).

Update 2: I’ve interviewed Samy.


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!