The Null Device


A user of the social-network site MySpace has found a novel way of making lots of friends: by inserting a piece of JavaScript code into his page which caused all viewers to friend him:

The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a "hero" to the visitor's own profile page. To do this without a user's knowledge, the code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user's profile, creating a replicating worm. "So if 5 people viewed my profile, that's 5 new friends. If 5 people viewed each of their profiles, that's 25 more new friends," Samy explained.
For a brief time, Samy had more than one million new friends. Then MySpace noticed that something strange was happening, shut the site down and cleaned the script off users' pages. Google's Evan Martin has an analysis of the code.

(via /.) hacks making friends myspace risks security social software worms 1