Not everything on MySpace, however, was completely customizable. Users could only upload 12 photos, for example. Was there a way around that? Kamkar he started hacking around, trying to see if he could trick MySpace to do stuff the site wasn't supposed to let users do. He soon found a way and uploaded 13 photos.Users also had only a few choices when it came to the "relationship" field. There was a dropdown menu with standard options: married, single, in a relationship, and a few more. Kamkar, who at the time had a girlfriend, wanted to be able to select "in a hot relationship." With some more hacking, he did that too."Once I was able to do that, I realized I was able to actually do anything on the page," he tells Motherboard, recalling that fateful night.
"Once I was able to do that, I realized I was able to actually do anything on the page."
"At the time it was a very under appreciated kind of vulnerability. We knew every site had it, but no one had really demonstrated what could you could do with it," Grossman tells me over the phone. "Samy did, and he changed the industry forever."At the time of the Samy worm, 80 to 90 percent of websites were vulnerable to similar attacks, according to Grossman. The issue got so much attention that The Open Web Application Security Project launched an effort to create an API for sites to allow users to use code on their pages without exposure to XSS vulnerabilities—they called it the AntiSamy Project.Ten years later, only 47 percent of websites are likely to have the same vulnerabilities, according to data gathered by WhiteHat's Security in 2015. Without the attention that Kamkar's worm got, perhaps it would still be a more widespread issue.In the years to come, websites and browsers beefed up their security against cross site scripting attacks, but there were still some notable attacks. In 2013, for example, several Yahoo users' email accounts were hijacked thanks to a similar vulnerability. And last year, hackers found a XSS bug in Tweetdeck that allowed them to force annoying popups. Earlier this year, thanks to an XSS vulnerability, it was possible to take over a WordPress blog with a single comment.Watch more Motherboard: All the ways your phone can be hacked
"[Samy] changed the industry forever."
For a whole year, Kamkar's lawyer and the prosecutors went back and forth, negotiating a plea deal. Kamkar never got arrested, and ended up pleading guilty and was sentenced to three years of probation with practically no computer access. He was only allowed to use one computer, registered with the authorities, with no access to the internet, Kamkar says.He was still able to work at his startup in a managerial role, and was even invited to conferences and talks to speak about the worm. In 2007, he met Grossman at the OWASP & WASC AppSec conference, where Grossman and a friend of his, Robert Hansen, showed up with custom-made t-shirts that read "Samy is my hero." (Similar shirts can still be purchased online.)
"Computers were kind of the only thing I had."