iBlog - Ilia Alshanetsky

To all the people who carelessly claim that Cross Site Scripting (XSS) is not a real security problem here is definitive proof that the threat is quite real. A very creative user of MySpace, Samy created a little self propogating worm via a stored XSS attack.

He was able to inject raw HTML into his profile by breaking the normally disallowed "javascript" into components, relying on IE to "combine" it back together. This code snippet then utilized XMLHTTPRequest, usually used for Ajax to execute a request in the background that would cause the viewer to transparently add Samy (author of the trick) to their buddy list.
The "worm" component of the hack used the same code to insert the attack HTML sequence into the profiles of comprised users allowing the hack to self propagate.

The attack process and why it was possible is explain is fair amount of detail here.

It should be noted that while Samy was careful not to cause any lasting damage, a more malicious person could have used the same code to do a whole lot more, like steal passwords of users and so on. Hopefully, this worm, which will surely get massive exposure in the coming days will prove effective where hundreds of security professionals were not, proving that XSS is a serious issue.