In case you haven't heard, a user called Samy has used a JavaScript-based worm to game the system at social
networking site MySpace, becoming "friend" and "hero" to thousands of users in a
matter of hours. There's more information in this
interview and a detailed explanation with code.
While this attack was mostly harmless, it's certainly a warning about the kind of attacks you might open the door to
if you use Ajax without doing lots of thinking about security. MySpace didn't allow <script> tags in user
profiles, but Samy used a script accessed through a CSS background image URL, and obfuscated in a bunch of ways to
convince browsers to run JavaScript they shouldn't. The list of hurdles
he went through to do this is amusing, and a bit frightening for those of us with web sites to keep secure…
[via Ajaxian]
