Google Blogoscoped

Friday, October 14, 2005

Samy, Their Hero

As reported yesterday, Samy earlier this month wrote a worm that spread all over the MySpace web community – infecting everybody that crossed its path with “instant friendship”, thus gaining Samy more than a million friends before the MySpace team disabled the worm (taking pretty much the whole site offline to do so). The automatically included message “samy is my hero”, however, remains in thousands of homepages. I’ve email-interviewed Samy, who’s from Los Angeles (and likes to stay anonymous here).


Samy, where are you from, how old are you, and what do you for a living? Please tell us a little bit about your background.

I’m from all over. I was emancipated at 16, got out of high school, moved out, and began a life as a playboy/software developer. It was a great concoction. I had already written some notable software when I was younger that I had released which got me job offers pretty easily. I’m now 19, turning old, and working hard while enjoying life.

Could you describe the approach to the worm you wrote? It was Ajax making use of a MySpace security hole, right?

The hole was actually not in MySpace. To MySpace’s defense, they did a great job of blocking malicious code, JavaScript, etc. The reason I was still able to get JavaScript past their filters is by using browsers’ leniencies. With a little finagling, I could get JavaScript to execute on some browsers, even though the actual code wasn’t valid. It was the browsers that mistakenly executed JavaScript when they shouldn’t have.

The basic approach was this:

  1. The code was first placed in my profile. Once anyone viewed my profile, they would unknowingly execute the code.
  2. Upon executing the code, it would add me as one of their friends. This normally requires their approval, but this was all done in the background via Ajax. It required multiple GETs and POSTs in order to obtain all the information necessary, such as random hashes, to approve the friend request.
  3. It would additionally GET their own profile, grab their list of heroes if they had any in their profile, and append me as a hero. Specifically, it would append “but most of all, samy is my hero.”
  4. The most important step is then having the code reproduce itself. It would grab the content of the profile they’re viewing, parse out the actual code that was being executed, and then append that to the heroes as well.
  5. The whole process starts over any time anyone views the newly infected user’s profile.

There were several complexities I had to overcome since MySpace does a great job of stripping out JavaScript, necessary quotes, Ajax functions, etc. The code had to be written in such an obfuscated manner to actually get past their filters, including getting it to propagate past MySpace’s own HTML-rewriting that occurs. A more detailed explanation of the hurdles is available.

Which browsers did the worm work with?

I only tested it with Internet Explorer on Windows and OS X. It seemed to work on both, however I didn’t test it very much because I wasn’t that concerned whether it would really work or not. I tried it on Safari on OS X, however it didn’t seem to work. To my surprise, I saw later that day that my girlfriend became infected even though she only uses Safari, although an older version.

How did you get such good experience with JavaScript?

I was never that good at JavaScript, but most developers that know one language can pick up other languages pretty easily. The worm was my intro to and first time using Ajax, and I learned a few other things while developing it. Most notably, I learned that MySpace is huge.

How long did you take to write that JavaScript?

I spent an hour or two a day trying to do something new on MySpace for about a week. After one week, I put a few of the things developed into one big piece and had the resulting worm.

I’m sure you were surprised by the success of your worm. Did you realize from the beginning on the deployment would be exponential?

It didn’t take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly. When I saw 200 friend requests after the first 8 hours, I was surprised. After 2000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.

Did you tell your girlfriend about this whole thing? How did she react?

Once I had hit a few thousand friend requests, I got a bit worried. Instinctually, I wanted to see her in case anything would happen to me, but I tried to keep it humorous at all times. I had lunch with her and told her that I might be going away for a long time due to my overnight celebrity status. I told her it’s not easy being famous, and she just laughed. I was ecstatic with the success of it, but worried at the same time. She thought the whole thing was pretty funny, though risky.

Did anybody from MySpace contact you already?

No one from MySpace has contacted me. The only contact I have gotten so far was each automated email from MySpace telling me I had a new friend request. Oblivious to the fact, MySpace would send an email to my personal account each time a friend tried to add me, whether it was intentional or through the worm. I consider the hundreds of thousands of emails in my Inbox from MySpace equal payback for the profiles that were modified.

Do you think the security issue could cause harm on popular sites other than MySpace?

I’m sure that there are other sites that could be affected. MySpace tries to allow freedom of what users can post so that they can tailor their profile to their own liking. Any similar sites that allow such tailoring or have holes that would allow JavaScript to pass through could easily allow a similar thing to be unleashed, and to possibly cause real harm.

What was first – the idea to find a way to become the most popular man on MySpace, or your uncovering of the security hole?

First was discovering the hole. The only reason the attempt to discover a hole was even made was so that I could customize my profile a little more than other people could.

What do you think of MySpace anyway? I once read someone suggesting the site had a certain “ghetto appeal” because of its freestyle HTML layouts...

I was never really into MySpace until a few months ago. Enough of my friends had started using it that I thought it would be nice to get in touch with other friends that I may have lost touch with. I created a profile, found many old friends, and rediscovered fond memories with them.

It is true that many people go overboard with their HTML layouts, and I believe that such “yellow on blue” page layouts cause much more damage in the long run than my worm did.

Nevertheless, I think MySpace is a great service. It’s always been free and has been a pretty useful networking tool for lots of people. Although it has ads, they do need a way to make money to keep it up, but it isn’t riddled with very intrusive ads or popups, so I’ve never had any animosity or negative feelings about it. In the end, it’s really up to the user to shape the site but the team behind it has really built something useful, if the user base doesn’t tell you that already.

Once you realized the worm was spreading so quickly, did you feel like stopping it... and could you have done that in the first place? E.g. could you have disabled your MySpace account to block further spreading?

I absolutely wanted to stop it. Deleting my account wouldn’t stop propagation at all, but I tried that anyway. The only way to really stop it was to fix it at the source, either making the browser not allow JavaScript or having MySpace add a new filter to stop allowing the posting of this new type of code.

Your code is on the lines of a prank, but did the thought cross your mind to insert something else into other people’s pages than just that line?

Not at all. I mean, sure, “free samy” came into my head the second I started getting worried, but all I wanted was a little fame, among my friends.

They’re already selling “Samy is my hero” t-shirts. What do you think of that?

I’m flattered.

Is this your first attempt at creating a worm, or to create a hack of some sort? What else did you try in the past?

I’ve never created a worm or planned to in the past. However, I have been interested and involved in security related projects, but nothing usually ever too intrusive.

Probably the closest thing to this that I’ve done in the past was a few years ago when I modified a ham radio to be able to transmit to restricted frequencies. I found a frequency used by a chopper that was giving a live weather/traffic forecast and I happened to transmit over them, stating something short and humorous. It was broadcasted live onto a very popular radio station, and my guilty conscience kicked in and I decided to stay away from radio-related electronics for a while. I only listened to CDs for quite a while after that.

With your knowledge... do you disable JavaScript in your browser when you surf yourself?

To browse half the sites out there, you pretty much need JavaScript enabled. The chances of very harmful JavaScript being out there is slim, but possible. JavaScript has also allowed so much useful interactivity on the web that it would be annoying to live without. Similar to a junk mail filter, the chance of losing legitimate email is hopefully worth the risk of having the filter.

If you’re not online, what are you doing?

Like any geek trying to avoid the stereotype, I’m either spending time with my girlfriend and friends, stunting and performing asinine tricks on motorcycles, or fleeing to Mexico.

What kind of websites are you visiting? Can you give us some URLs?

Scientific and technology oriented sites are my favorites.

Security related:
Set as my homepage: – well, not so much anymore.


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!