Case Study 1: The Samy Worm on MySpace (2005) --- The Fastest Spreading Virus Ever

Background

On October 4, 2005, Samy Kamkar, a 19-year-old web developer from Los Angeles, released what would become the fastest-spreading computer worm in history. In less than 20 hours, the "Samy worm" infected over one million MySpace profiles, adding Samy as a friend to each one and displaying the text "but most of all, samy is my hero" on every compromised profile.

At its peak, the worm was infecting users at a rate of thousands per second. MySpace, then the most popular social networking site in the world with over 100 million users, was forced to take the entire site offline to contain the outbreak.

The Samy worm was not a traditional virus. It did not exploit a software vulnerability in the browser or operating system. It exploited a stored cross-site scripting (XSS) vulnerability in MySpace's profile system, combined with AJAX techniques to propagate. It was the first major demonstration of what a self-propagating XSS worm could accomplish.

The Vulnerability

MySpace allowed users to customize their profiles with HTML and CSS. To prevent abuse, MySpace implemented filters that blocked certain HTML tags and JavaScript:

  • <script> tags were stripped
  • javascript: URLs were blocked
  • Event handlers like onclick were filtered
  • The word "innerHTML" was blocked

However, MySpace's filters were incomplete. Samy discovered multiple bypass techniques.

The Exploit Chain

Bypass 1: Script Injection Without <script> Tags

MySpace blocked <script> tags but did not block all methods of executing JavaScript. Samy used CSS expressions (an Internet Explorer feature):

<div style="background:url('javascript:alert(1)')">

And the eval() technique:

<div id="mycode" expr="alert('hey')" style="background:url('javascript:eval(document.all.mycode.expr)')">

Bypass 2: Building Blocked Words

MySpace blocked "innerHTML" as a complete string. Samy split it across two variables:

var B = 'innerHTML';
// Or more creatively:
var B = String.fromCharCode(105,110,110,101,114,72,84,77,76);
// Spells out "innerHTML"

By constructing blocked strings dynamically, the filters could not detect them.

Bypass 3: AJAX Without XMLHttpRequest

MySpace also filtered "onreadystatechange" and other XMLHttpRequest properties. Samy used an alternative AJAX technique available in the browser:

// Instead of XMLHttpRequest
var xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
// Or using the less-filtered approach
document.body.appendChild(document.createElement('xml'));

The Worm's Behavior

When a user viewed an infected profile, the worm performed these actions:

  1. Added Samy as a friend: Made an AJAX request to MySpace's friend-add endpoint, mimicking the authenticated user's session.

  2. Displayed the hero text: Added "but most of all, samy is my hero" to the victim's profile.

  3. Copied itself: The worm code was injected into the victim's profile, making it a new infection vector. Anyone who viewed the victim's profile would be infected in turn.

  4. Extracted the session token: The worm read MySpace's anti-CSRF token from the page source and included it in the friend-add request, bypassing CSRF protection.

The Propagation Model

The worm followed exponential growth:

Hour 0:   1 infected profile (Samy's)
Hour 1:   ~100 infections
Hour 4:   ~10,000 infections
Hour 8:   ~100,000 infections
Hour 13:  ~500,000 infections
Hour 18:  ~1,000,000 infections
Hour 20:  MySpace taken offline

Each infected profile became a new infection source. As Samy had many friends and his profile was popular, the initial propagation was rapid. The worm's growth was limited only by the rate at which users viewed infected profiles.

The Worm Code

The complete worm code was approximately 4 KB of JavaScript, encoded to bypass MySpace's filters. Key techniques included:

String Construction:

// Building "innerHTML" without the filter catching it
var d = String.fromCharCode(100, 111, 99, 117, 109, 101, 110, 116);
// "document"
var g = d + '.body.' + B;
// "document.body.innerHTML"

CSRF Token Extraction:

// Extract MySpace's token from the page
var token = document.body.innerHTML;
var index = token.indexOf('Mytoken');
// Parse the token value and include it in requests

Self-Replication:

// Copy the worm code to the victim's profile
// The worm reads its own source code and includes it
// in the profile update request
var code = document.getElementById('mycode').innerHTML;
// Include 'code' in the profile update POST request

Aftermath

Immediate Response

MySpace's engineering team detected the anomalous activity after several hours. Their response:

  1. Take the site offline: The only way to stop exponential propagation was to prevent users from viewing infected profiles.
  2. Clean infected profiles: Remove the worm code from over one million profiles.
  3. Patch the XSS vulnerability: Close the filter bypasses that Samy had exploited.
  4. Implement stricter filtering: Develop more comprehensive HTML/JavaScript filtering.

Samy was investigated by the United States Secret Service (which handles computer crimes involving financial institutions). He was charged under California Penal Code Section 502(c) --- unauthorized access to computer systems. In 2007, he reached a plea agreement:

  • Three years of probation
  • 90 days of community service
  • $15,000-$20,000 in restitution to MySpace
  • Forbidden from using a computer connected to the internet during the initial probation period
  • No profiting from the notoriety of the worm

Samy has since become a respected security researcher, creating numerous educational projects and presenting at major security conferences. He is credited with raising awareness of XSS as a critical vulnerability class.

Technical Analysis for Modern Context

Why the Samy Worm Matters Today

The Samy worm demonstrated principles that remain relevant:

1. Stored XSS Is an Amplifier A single stored XSS vulnerability on a platform with millions of users becomes a mass compromise vector. Modern social media platforms, forums, and collaboration tools face the same risk.

2. Filter Bypass Is Inevitable MySpace's blacklist approach (blocking specific tags and keywords) was fundamentally flawed. Every filter creates a bypass challenge. Modern defenses use allowlisting and Content Security Policy rather than trying to block known-bad patterns.

3. XSS + CSRF = Full Compromise The worm combined XSS (to execute code in the victim's session) with CSRF-like behavior (to perform actions on behalf of the victim). This combination---executing authenticated actions through injected code---remains the most powerful XSS exploitation pattern.

4. Self-Propagating XSS Is Possible The worm proved that XSS can be self-replicating. Any platform that allows user-generated content and has XSS vulnerabilities is potentially vulnerable to a worm. Modern examples include XSS worms on Twitter (2010), TweetDeck (2014), and various web forums.

What Would Prevent the Samy Worm Today?

If MySpace had been built with modern security practices:

  1. Content Security Policy: A strict CSP with nonce-based script-src would prevent all injected scripts from executing, regardless of filter bypasses.

  2. Proper Output Encoding: Using context-aware output encoding (HTML entity encoding for HTML body, JavaScript encoding for script contexts) instead of blacklist filtering.

  3. DOMPurify or Similar Sanitizer: A proper HTML sanitizer that parses content into a DOM tree and reconstructs it with only allowed elements, rather than regex-based filtering.

  4. SameSite Cookies: The SameSite attribute on session cookies would prevent the CSRF-like behavior of the worm's friend-add requests.

  5. Rate Limiting: Rate limiting on friend-add and profile-update APIs would slow propagation even if XSS was exploited.

Lessons for Penetration Testers

  1. Always test stored XSS in user-generated content. Profiles, comments, reviews, messages---any field where user input is stored and displayed to other users is a high-value XSS target.

  2. Test filter bypasses systematically. If basic payloads are blocked, try event handlers, SVG/MathML tags, encoding variations, and dynamic string construction. The Samy worm proved that blacklist filters can always be bypassed.

  3. Demonstrate impact beyond alert(1). Show clients what XSS can actually do: session hijacking, data theft, account takeover, and self-propagation. The Samy worm's impact was far more convincing than a proof-of-concept alert box.

  4. Test the combination of XSS + CSRF. Can XSS be used to bypass CSRF protections by reading tokens from the page? Can XSS perform authenticated actions?

Discussion Questions

  1. Was Samy Kamkar's punishment proportionate? Should the law distinguish between malicious and non-malicious (but unauthorized) security research?
  2. Could a Samy-style worm succeed on modern social media platforms (Facebook, Twitter/X, Instagram)? What defenses would it need to bypass?
  3. How does the Samy worm inform the risk assessment for stored XSS vulnerabilities in penetration testing reports?
  4. MySpace used a blacklist approach to HTML filtering. Why is allowlisting fundamentally more secure? Are there situations where blacklisting is acceptable?
  5. If you were designing a social media platform's profile customization feature, how would you allow HTML/CSS customization while preventing XSS?