from F-Secure :

Web Application Worms exploit persistent Cross Site Scripting (XSS) vulnerabilities in websites. It’s a new category of malware and it’s a growing concern for popular websites. Social Networking sites seem to be the most popular target as of now. MySpace has already been hit by two such worms - the Samy worm in October last year and last week’s Flash worm. Samy was written by a guy who wanted to become popular on MySpace. So he designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million “friends” in a couple of hours. Last week’s worm exploited a vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.

Last week MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.

All this piqued our interest and we decided to see how secure other popular social networking sites are against “wormable” XSS vulnerabilities. We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially “wormable” XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day’s work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities.