Samy didn’t want to be everyone’s hero. He didn’t even want new friends.
But thanks to a few clever lines of code, in less than a day, he became the “hero,” and a “friend,” to more than a million people on what was, at the time, the most popular online social network, MySpace.
It was around midnight on October 4, 2005, in Los Angeles, when Samy Kamkar, then a 19-year-old hacker, released what has come to be known as the “Samy worm,” perhaps the fastest-spreading computer virus of all time, a virus that changed the world of web security forever.
Kamkar, who had dropped out of high school at 16 and founded a software startup called Fonality at 17, says he just wanted to impress his techie friends, nothing more. Everything started around a week earlier, Kamkar tells me. At the time, MySpace gave users a lot of freedom to customize their profiles, allowing the use of HTML code, which resulted in colorful, and often painful to look at profiles.
“Once I was able to do that, I realized I was able to actually do anything on the page.”
Not everything on MySpace, however, was completely customizable. Users could only upload 12 photos, for example. Was there a way around that? Kamkar he started hacking around, trying to see if he could trick MySpace to do stuff the site wasn’t supposed to let users do. He soon found a way and uploaded 13 photos.
Users also had only a few choices when it came to the “relationship” field. There was a dropdown menu with standard options: married, single, in a relationship, and a few more. Kamkar, who at the time had a girlfriend, wanted to be able to select “in a hot relationship.” With some more hacking, he did that too.
“Once I was able to do that, I realized I was able to actually do anything on the page,” he tells Motherboard, recalling that fateful night.
Samy Kamkar works at his computer in his home in Los Angeles. Image: Motherboard
For the following week, Kamkar worked on a script that would be invisible to any other user, and would force everyone who visited his profile to add him as a friend. The script would also add a line to the person’s profile, under the “my heroes” category: “but most of all, Samy is my hero.” Kamkar realized that he would reach very few people if the script only hit visitors of his page, so he programmed it in a way that it would also copy itself on the visitor’s own profile.
At that point, he had created a self-propagating worm.
“I figured that maybe in a month I’d get 100 or 200 friends,” he tells me. “Some of them will complain, I’ll delete it and that’s it. No big deal.”
The next morning, he woke up and had 200 friend requests. That’s when he “freaked out” because the worm was spreading faster than he thought. One hour later, the requests doubled, and then kept increasing exponentially. At that point, Kamkar says he emailed MySpace anonymously, alerting them of the worm, and a way to stop it, but he never heard back, and still today, he has “no idea” if anyone actually saw that email.
By 1:30 p.m., he had amassed more than 2,500 friends and had more than 6,000 requests.
“This has gotten out of control. People are messaging me saying they've reported me for ‘hacking’ them due to my name being in their ‘heroes’ list,” Kamkar wrote in a blog post he published that night, recounting what had happened. “Apparently people are getting pissed because they delete me from their friends list, view someone else's page or even their own and get re-infected immediately with me. I rule.”
“I hope no one sues me,” he added.
A few hours later, Kamkar went for a burrito at Chipotle and then went home to check his MySpace profile again. At that point he had almost a million friend requests.
A screenshot of Kamkar’s MySpace profile, taken on Oct. 5, 2005. Image: Samy Kamkar
“It's official. I'm popular,” he wrote in his blog.
The number climbed up to over a million, just a few minutes before MySpace went down. The company had to take the site offline to figure out what was going on and purge the worm.
“I felt awful. I felt really bad,” Kamkar tells me. But there was nothing he could have done at that point—once he released the worm it was already too late, given that it spread all by itself. After around two hours the site went back up. His profile had been deleted.
Kamkar speaks at the Black Hat security conference in Las Vegas in 2010. Image: Dan Tentler
Kunal Anand, who became director of security at Myspace a couple of months after the incident, says that at the time the Samy worm hit, the company had “almost no security team,” and “had no idea what to do.”
No one had seen anything like Samy’s worm. It was a “watershed moment for the industry,” Anand tells me.
Jeremiah Grossman, a web security expert and founder of the firm WhiteHat Security, says the Samy worm was “one of those moments that every expert in the industry was waiting for.”
Kamkar’s worm, despite its quick spread, was ultimately harmless: all it did was get him friends and add a few words to the infected people’s profiles. But if Kamkar had been a criminal, or someone with more devious intentions, he could have taken over their accounts. As Grossman puts it, Kamkar “had the ability to do whatever he wanted.”
The technique that the young hacker used is known as a cross site scripting attack, often abbreviated as XSS, where an attacker injects malicious code into a website, tricking the site, and the users’ browser, to execute the code. People who knew about web security were aware that it was possible to attack most sites the way Kamkar did, according to Grossman, but but no one had taken the threat seriously until the Samy worm.
“[Samy] changed the industry forever.”
“At the time it was a very under appreciated kind of vulnerability. We knew every site had it, but no one had really demonstrated what could you could do with it,” Grossman tells me over the phone. “Samy did, and he changed the industry forever.”
At the time of the Samy worm, 80 to 90 percent of websites were vulnerable to similar attacks, according to Grossman. The issue got so much attention that The Open Web Application Security Project launched an effort to create an API for sites to allow users to use code on their pages without exposure to XSS vulnerabilities—they called it the AntiSamy Project.
Ten years later, only 47 percent of websites are likely to have the same vulnerabilities, according to data gathered by WhiteHat’s Security in 2015. Without the attention that Kamkar’s worm got, perhaps it would still be a more widespread issue.
In the years to come, websites and browsers beefed up their security against cross site scripting attacks, but there were still some notable attacks. In 2013, for example, several Yahoo users’ email accounts were hijacked thanks to a similar vulnerability. And last year, hackers found a XSS bug in Tweetdeck that allowed them to force annoying popups. Earlier this year, thanks to an XSS vulnerability, it was possible to take over a WordPress blog with a single comment.
Watch more Motherboard: All the ways your phone can be hacked
Despite his harmless intentions, and the blog post he published to explain why he launched the Samy worm, Kamkar did eventually get in trouble with the law.
Six months after he unleashed the worm, the Secret Service, along with the Electronic Crimes Task Force of the LAPD, got a warrant to search his apartment and his office. Authorities seized his laptop, three desktop computers and other electronic devices such as hard disks. The Los Angeles District Attorney was going after him, accusing of computer crimes, in particular of infecting computer systems with a virus, according to California’s penal code.
“It was kinda scary,” Kamkar recalled. “I didn’t even have a high school diploma, so I was really concerned if they tried to take computers away from me. Computers were kind of the only thing I had.”
”Computers were kind of the only thing I had.”
For a whole year, Kamkar’s lawyer and the prosecutors went back and forth, negotiating a plea deal. Kamkar never got arrested, and ended up pleading guilty and was sentenced to three years of probation with practically no computer access. He was only allowed to use one computer, registered with the authorities, with no access to the internet, Kamkar says.
He was still able to work at his startup in a managerial role, and was even invited to conferences and talks to speak about the worm. In 2007, he met Grossman at the OWASP & WASC AppSec conference, where Grossman and a friend of his, Robert Hansen, showed up with custom-made t-shirts that read “Samy is my hero.” (Similar shirts can still be purchased online.)
Image: Jeremiah Grossman
Thanks to the impact he made in the world of web security, Grossman tells me, Kamkar doesn’t have to pay for anything when he goes to events like that one.
“I don’t think he’s had to pay for a drink when we’re around for 10 years,” he says.
Three years after the worm, in 2008, Kamkar went back to court and got his probation lifted. The first thing he did, Kamkar recalled, was head to the Santa Monica Apple Store and buy a laptop. He then went to the nearest Starbucks, opened it up and connected to the internet.
But after three years offline, “I didn’t even know where to go,” he says. So he visited a couple of websites—not MySpace, he says laughing—spent ten minutes on the internet and then went to see some friends.
Kakmar says he was “very introverted and shy” before the Samy worm, so “the three years away from computers were actually really good for me, for someone who’s always on computers all the time, it allowed me to do other things.”
Once he went back online, however, Kamkar had a bunch of ideas for new things to hack, and some new techniques. He showed off some of those in 2010, at his first talk at the famed hacking conference DEF CON in Las Vegas.
Since then, he’s left his startup and has been hacking away, exposing how Google, Apple and Microsoft track their customers, as well as creating devices to automatically hijack drones, and to unlock cars and garage doors, all in the name of getting companies to pay more attention to security and protect their customers. His spectacular exploits, as well as his natural knack for making hacking and information security easy even for the layperson to get, have made him a household name in the hacking community.
Today, if he could go back in time, Kamkar says he probably wouldn’t release the worm, even though staying away from computers for three years was a positive experience, and the worm was his call to fame.
Yet, the internet is probably better off because of the Samy worm. So, in a way, Samy might still be a hero.