It was Christmas Eve in Mexico and Eduardo Vela was frustrated. He'd spent the last few days analyzing vulnerabilities in the hi5.com social networking site. By failing to properly validate values within CSS properties, hi5.com left the door open for attackers to foist what effectively amounts to an iframe. Vela's emails to hi5.com had gone unanswered, so to prove his point he decided to create and release a benign XSS worm designed to exploit the flaw.

Vela, who uses the moniker 'sirdarckcat', created a worm reminscent of the infamous Samy worm which targeted MySpace users in 2005. Samy attached itself to MySpace profiles, adding the words "but most of all, Samy is my hero" to the profile pages of anyone who viewed his profile. It had exponential growth - as more and more profiles were modified to point to his profile, more and more people clicked throught to view it and likewise became impacted. It was the harbinger of what has become a social networking phenomenon - socially engineered attacks that violate the trust relationships among friends of friends.

Eduardo Vela took a slightly different approach, adding his xssworm profile (aptly named Santa) directly to the friends' lists of anyone who views his profile. In addition, the capability of his worm is significantly less powerful in its current rendition. To put that into perspective, the Samy worm impacted over 1,000,000 MySpace users in 20 hours. Vela's creation has impacted less than 1,000 in nearly 48 hours. Indeed, Vela's worm all but languished in the first 36 hours, giving plenty of time for the folks at hi5.com to respond.

And that failure to react is at the heart of the matter.

The hi5.com social network self reports traffic at 25 million unique visitors per month with over 60 million subscribed. The site supports itself through "IP and profile-based targeting" of "advertising messages". Yet phoning their head office leads to a recording which states, in part, "as a free website, we are not able to provide telephone support to our members. Please do not leave a message on this voice mail as we will be unable to return your call." Likewise, sending an email via their support form also yields only an automated acknowledgement of the receipt of that mail.

While certainly this inability to contact hi5 does not exonerate Vela, nor should his actions be condoned, it does provide some insight into his frustration. Here is a site servicing at least 25 million unique users per month, financially leveraging those users through targeted advertising sales, yet not offering even a single live body to help ensure those 25 million users are kept secure.

We see a lot of this at ScanSafe - widely trafficked sites with little or no skilled staff to deal with compromise. Of course, in those cases we're talking real malware - backdoors and password stealing Trojans intent on stealing identities. And it's presumably that type of malware that Vela is hoping to spare hi5 users. If only hi5 had the staff to respond.