I’m guessing these are the technicalities of what happened (I don’t know for sure): the MySpace programmers did the error of allowing GET requests to change states (only POST requests ought to be doing that*). In other words, simply by going to an infected MySpace page, those MySpace users who are logged in would add Samy – and his worm – to their own MySpace page as well. Note there’s even some Ajax/ XMLHTTP running in the background of the long one-liner script... this worm is truly Web 2.0. But Samy’s not all happy now, saying:
“I haven’t been worried about anything in years, but today I was actually afraid of the unknown. Afraid of myspace? No, afraid of FOX’s legal department. If you’re not aware already, myspace was purchased by FOX only a few weeks back for 580 million dollars. Not online myspace dollars, but actual cash that can buy strippers. (...) I don’t want FOX after me.
I spend the rest of the day working, trying to get the ideas of what could happen out of my head. I have my girlfriend visit me for lunch to say our goodbyes. I’m going to the big house. I could hear it then, “mr samy, you are hereby sentenced to an $800,000 fine and 3 years in jail for getting way too many friends on myspace and causing psychological damage to girls who thought they were your friends until you cancelled your account.”
*Not too long ago, Google’s own community site Orkut also allowed changes to take place with GET requests. Back then, a simple Iframe could make people join groups they never saw. However, the growth rate of that wasn’t exponential...
Update 2: I’ve interviewed Samy.
>> More posts