The Samy Worm: How a 19 Year Old Crashed MySpace with 4KB of Code
On October 4, 2005, Samy Kamkar released one of the most legendary hacks in internet history. He was 19 years old. His worm infected over one million MySpace users in 20 hours and forced the entire platform offline.
How It Started
Kamkar wanted to learn JavaScript. He also wanted to customize his MySpace profile beyond what the platform allowed. MySpace had a 12-photo upload limit and restricted certain features. Through experimentation, Kamkar found a way to bypass these restrictions by injecting raw HTML code.
He created a script that would automatically add him as a friend to anyone who visited his profile. But there was a problem. He only had 73 friends. His page would not get many visitors. His solution? Make the script copy itself onto every visitor’s profile. The worm would spread exponentially.
The Technical Details
The worm exploited a cross-site scripting (XSS) vulnerability in MySpace’s code. The entire payload was 4 kilobytes of JavaScript. Using Asynchronous JavaScript and XML (AJAX), Kamkar bypassed MySpace’s JavaScript filters. AJAX allowed browsers to execute code in the background without user knowledge.
The payload was simple. It displayed “but most of all, samy is my hero” on your profile under the heroes section. It automatically sent Kamkar a friend request. When someone viewed an infected profile, the worm copied itself onto their page. The chain reaction continued.
The Explosive Growth
Kamkar uploaded the worm to his profile on October 4 and went to bed. He expected a few dozen new friends. By morning, he had 221 friend requests. Within hours, the numbers doubled exponentially.
By 1:30 p.m. on October 5, Kamkar had over 6,000 friend requests. The worm spread thousands of infections every few seconds. Users who deleted Kamkar from their friends list would be re-infected when they viewed any other infected profile.
At 9:30 p.m. that evening, over one million users were infected. This happened in 20 hours. The worm became the fastest-spreading virus in terms of infection rate per hour.
MySpace’s servers buckled under the load. The site went offline for several hours while engineers purged the worm from all infected profiles. When the site returned, Kamkar’s profile was deleted.
The Legal Fallout
Kamkar felt awful. He sent an anonymous email to MySpace explaining how the worm worked and how to stop it. MySpace never responded.
Six months passed. Kamkar thought he had escaped consequences. Then in early 2006, law enforcement surrounded him. The raid included the United States Secret Service, the Electronic Crimes Task Force, the Los Angeles District Attorney’s Office, and the California Highway Patrol.
Authorities seized his laptop, three desktop computers, and other electronic devices. After a year of negotiations, Kamkar accepted a plea deal. On January 31, 2007, he pleaded guilty to a felony charge of computer hacking.
The sentence was severe:
Three years of felony probation 720 hours of community service picking up trash along California highways in an orange jumpsuit $20,000 in restitution payments to MySpace A complete ban from using the internet for personal reasons during probation Permission to use only one computer with no internet access
Every Saturday at 5:00 a.m., Kamkar put on an orange jumpsuit and collected trash with the Santa Monica waste management team. His probation officer later said he was her best client.
The Aftermath
In 2008, Kamkar successfully petitioned the court to lift his probation early. He walked to the Apple Store in Santa Monica, bought a laptop, and connected to the internet at the nearest Starbucks.
The Samy worm changed web security forever. At the time of the attack, 80 to 90 percent of websites were vulnerable to similar XSS attacks. The incident brought widespread attention to cross-site scripting vulnerabilities. The industry had largely ignored these security flaws.
The Open Web Application Security Project (OWASP) launched the AntiSamy Project to create APIs allowing sites to permit user-submitted code without XSS exposure. MySpace had almost no security team at the time of the worm. They completely overhauled their security infrastructure.
Where He Is Now
Kamkar became one of the most respected white-hat hackers and security researchers in the world. He created numerous security tools and research projects. These include SkyJack (a drone-hacking device), Evercookie (which appeared in NSA documents revealed by Edward Snowden), and MagSpoof (a device that spoofs magnetic stripe cards).
In the hacker community, Kamkar is treated like royalty. Security expert Jeremiah Grossman said, “I don’t think he’s had to pay for a drink when we’re around for 10 years.”
The incident remains a pivotal moment in cybersecurity history. One person with technical knowledge brought down a major internet platform. That same person transformed from black-hat hacker to respected security researcher.
