Samy became an overnight sensation, even spawning t-shirts in his honor, after the 19-year-old natural coder (almost on whimsical impulse) created a social networking worm that added his name to 1,000,000 friend lists at MySpace.com. Worried about what he had just accomplished, he decided to grab a burrito before the Internet police showed up.
From his story, skillfully extracted though an interview by Philipp Lenssen at Google Blogoscoped, Samy was looking to exploit a security vulnerability in Internet Explorer on Windows and OS X that would enable him to tweak his MySpace.com page in a unique way.
It was the browsers, not MySpace.com, that allowed Samy’s JavaScript, modified using XMLHTTP Request (within AJAX Web applications), to run amuck throughout the MySpace world. As BetaNews put it, it was “the first self-propagating cross-site scripting (XSS) worm.”
In the end, the worm automatically infected any MySpace.com user who stumbled upon Samy’s profile, adding “but most of all, samy is my hero” to that user’s friend network. After Samy became the friend of about a million MySpace.com users, MySpace took itself offline to correct the problem.
So what did our pro-um-an?-tagonist think about the instant success of the prankish worm? He told Lenssen it made him a least a little nervous.
“When I saw 200 friend requests after the first 8 hours, I was surprised. After 2000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.”
A little later, he’s luckily not incarcerated, has not been contacted by MySpace.com, and t-shirts proudly stating “Samy is my hero” have been created in his honor.
Check out the rest of the story in Lenssen’s hysterical interview here, then check out the mad coding skills provided in detail by Samy.
