But Most of All, Samy is my Hero.

But most of all, "Samy is my hero".

Abdul Samad Orakzai

~2 min read · April 22, 2026 (Updated: April 22, 2026) · Free: Yes

The four words were used on more than 1 million MySpace profiles in 2005 — in a single day.

No hacker army. No sophisticated infrastructure. Only a self-taught programmer by the name of Samy Kamkar and some lines of JavaScript embedded into his MySpace profile.

Whenever someone went to his page, the script would silently duplicate itself on their profile. And as somebody came to their page it spread again. And again. And again.

In 24 hours more than a million individuals had received the message that Samy is my hero posted on their pages — all without their awareness.

This is referred to as a Stored XSS attack — Cross-Site Scripting. The malicious attacker injects a malicious JavaScript into a site. It is stored in the site. That code is then automatically run in the browser of every visitor, as it trusts the site it has been referred to.

What is really so frightening about it is as follows:

The payload by Samy was benign. It has just shared a humorous comment.

Nevertheless, the very same method might have stolen login cookies, providing complete account access to a million users. It might have planted keyloggers on it to spy on each keystroke. With modern-day browsers, it can even be combined with a browser vulnerability by a skilled attacker to escape out of the browser completely and execute code on your computer.

Samy called it a worm, — because it was a worm. A self-replicating program propagating human curiosity.

He surrendered. Was arrested. Prohibited to use computers in 3 years.

However, the lesson that he left behind is timeless in 2025 — XSS vulnerabilities are not merely a coding error. They are a gun loaded and waiting to be picked by somebody..

2014. Twitter. One tweet. 38,000 retweets. Under 2 minutes.

One of the security researchers was just lucky to come across an XSS vulnerability in the Twitter TweetDeck dashboard. Someone exploited it before it could be patched.

One tweet was created with a concealed JavaScript payload. Whenever anybody looked at the tweet, their browser would automatically retweet it- without them clicking anything, without their knowledge, without any confirmation.

38,000+ retweets in less than 120 seconds.

Twitter was not given an option. They brought TweetDeck to a crawl as they scrambled to fix it.

Just consider what such vulnerability would have caused in the wrong hands. Not RTs — but just posting malware links to millions of subscribers. Or stealing legitimate accounts. Or posting fake news more rapidly than a fact-checker.

In 2019, Google did. They have been with Apache as well.

When you are creating on the web — validate your inputs, encode your outputs and have a Content Security Policy.

Since the next Samy may not be writing is my hero.

#CyberSecurity #WebSecurity #XSS #EthicalHacking #AppSec #CyberAwareness #Developer.

#owasp-top-10 #xss-attack #injection #web-security #bug-bounty

< Go to the original

But Most of All, Samy is my Hero.

But most of all, "Samy is my hero".

Reporting a Problem