The SecuriTeam site reports on a new GaiaOnline (web-based game) worm:
Kyran ran the worm for 3-4 hours (with a central .js file it’s easy to stop the worm) and logged 1500 unique usernames, but not much more can be deduced in terms of growth over time due to the lack of timestamps. Since the passwords weren’t logged we cannot check statistics on those, but I would hazard a guess at the statistic being similair to those of sites like MySpace. Furthermore, the point of this exercise was to see how well a reflective XSS worm can spread on a large site.
Very effectively, they argue. And even more to the point:
Reflective XSS can viably be used to spread an effective worm and sending variables via POST does not make people any safer. Considering how very common reflective XSS is (34 pages of reflective XSS flaws) this is something web masters really need to start getting to grips with. Furthermore it’s clear that Gaiaonline aren’t ready for users reporting flaws, they don’t know what to do when a flaw is reported and they aren’t too quick at fixing them (at the time of writing the flaw is still up).
Reputation risk?