Published 15 years 7 months ago • Last updated March 22, 2025 • ⏱️ 3 min read
I woke up yesterday morning and had a sudden flash of inspiration to stop all social network worms. I dunno why I wasn't even researching them, I've no idea how my mind works it's funny like that. Anyway sometimes I have bad ideas and sometimes they're good. I like to discuss them all because that's what an idea is, something to discuss.
So the concept works like this, you have a social network crawler client/server side that acts as a normal user it could even masquerade as an existing friend. This crawler continuously goes to different accounts with the goal of being exploited. Once the crawler is infected with some XSS code, it proceeds to follow whatever method the attacker uses to propagate the code but instead of posting an update, adding a friend or updating it's profile it logs the results and freezes the originating account.
The special crawler account must look and act like a normal user but normal user functionality is replaced by logging, think of it as a robot administrator I like to call them Terminators. Depending on the type of social network you could either prevent all new updates from happening until the flaw is closed or simply crawl the history of that user until all have been enumerated and repeat.
Crawling intervals could be changed depending on your requirements and you could specifically target accounts to crawl for example "user a" is posting 3 updates every minute or "user b" friend count is increasing every x minutes etc you get the idea.
Once the terminator encounters an infected account it is effectively mission accomplished as the site has a XSS worm but importantly you have some vital information, you know which page the infection occurred and the account is originated from and the method used to infect. I'd disable the site functionality here and place a maintenance message or something. You could continue crawling and try and find more infected accounts but you are always fighting against the time your crawler(s) takes to enumerate all accounts.
You may have noticed that I said "masquerade as an existing friend" this is because I already thought of a way to bypass detection by using worm code to detect if the crawler is a valid account or not. You need to make sure that these crawler accounts appear to be real in every way.
To create a crawler server side you'd need to use a server side js parser and browser environment depending on the complexity of your site you might find it easier to create a network of VM's and Selenium and run everything client side. Designing a crawler user account would also have to be done carefully, each operation needs to be intercepted and logged, the account itself shouldn't be able to authenticate and even if compromised shouldn't allow any operation other than to freeze the account where it was compromised from.
I HEREBY PLACE THIS IDEA IN THE PUBLIC DOMAIN