XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

• A worm is now considered an attack method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.
• I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.

The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.

Additional information:

• My Lunch With Samy [ha.ckers, Mar 10 2007]
• MySpace XSS worm writer notes [bindshell, Apr 10 2005]
• MySpace XSS worm source [bindshell, Apr 10 2005]
• MySpace XSS virus development [bindshell, Apr 10 2005]
• Cross-Site Scripting Worm Hits MySpace [Beta News, Apr 10 2005]

phpBB worm

Additional information:

• PHP Scripts Automated Arbitrary File Inclusion [Vulnerabiliy Publisher's Site, Dec 25 2004]
• New Variant of Santy Worm Spreads [PC World, Dec 27 2004]
• Santy.E worm poses threat to sites badly coded in PHP [Computer World, Dec 27 2004]

Worm used Google to locate sites vulnerable to OS

Additional information:

• Santy worm makes unwelcome visit [BBC, Dec 22 2004]
• Santy worm defaces websites using php bug [Sans Storm Center, Dec 21 2004]

MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.

Additional information:

• Myspace Hack spreading like wildfire: SPAIRLKAIFS [Chase and Sam page, Jul 16 2006]
• How the myspace SWF hack worked [Unknown, Jul 16 2006]
• Political hacking hits MySpace [SC Magazine, Jul 17 2006]

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.

Additional information:

• The Orkut XSS Worm [GNU Citizen, Dec 19 2007]
• Orkut XSS [Sounds From The Dungeon, Dec 19 2007]
• Orkut XSS worm in the wild [CGI Security, Dec 19 2007]
• Orkut Worm Code (and why was Google so slow to respond?) [TechnoSocial, Dec 19 2007]

A proof of concept XSS worm crawled justin.tv, a popular lifecasting platform. The warm succeeded in planting a self replicating code on 2525 accounts in less than 24 hours before the vulnerability was fixed.

Additional information:

• XSS Worm At Justin.tv Affects 2525 Profiles [CyberInsecure, Jul 15 2008]