[note: Marcel and Kyle have historically not gotten the right amount of credit for this stunt, so if you repeat this story please be sure to mention them.]
Around the end of 2005, I worked on a series of hacks and pranks on Facebook with my friends Marcel Laverdet and Kyle Stoneman. One of these pranks was an XSS-based worm that spread through Facebook profiles by way of an unsanitized profile field (Websites).
Our worm code would rapidly and silently copy itself from profile to profile, spreading virally through friends viewing one another’s profiles. The code itself was run off of an off-site server under my control, so at any time I could change the script that was running on everyone’s profiles.
Before seeding the worm, Marcel and I wrote a tiny JS library that replicated a bunch of FB functionality like adding a friend, poking, messaging, wall posts, etc. This let us quickly modify the master script to do different things with the controlled accounts. I then made the first “generation” of the worm include this library and upon execution, silently send a friend request to my test account. This way I could easily track the number of infected users as the outstanding friend request number ticked up on my homepage.
Meanwhile, Marcel and Kyle were working on the comedy: a CSS stylesheet that perfectly re-styled Facebook profiles into MySpace profiles (circa 2005). It was really impressive work and rearranged all the fields on the profile into MySpace’s ugly boxes and color scheme.
So the first generation of the worm had three symptoms when you viewed an infected profile: (a) It friended my test account; (b) It re-styled the profile to look like MySpace; (c) It copied itself to your own profile.
The modified profiles lasted less than a day before Facebook started getting complaints. And this quickly led to a series of hilarious friend requests of numerous employees at Facebook as they got infected, including internal test accounts known as “The Creator”. Seeing that infection we thought we got Mark Zuckerberg at that point and declared the operation a smashing success. [note: “The Creator” was not Zuck’s account, and I’m not actually sure if he got hit with the worm or not]
In hindsight, we thought we should have spread the worm as much as possible without any visible symptoms. But at the time I was highly confident Facebook would detect the XSS vector before we’d get very far at all, so I wanted to get as many profile views with the custom stylesheet as possible. Kyle and Marcel are still kicking me for that one. We had other opportunities for fun later though, including a second smaller worm that spread through photo captions where Marcel had the worm post random messages to random friends’ walls (e.g., “Hey, nice shoes.” or “This wall is now about trains.”).
As fixes started rolling out for the worm, I got a message in my personal Facebook inbox from co-founder Dustin Moskovitz. His knowledge of my identity didn’t come as much of a surprise since the worm’s interaction with my account was a dead giveaway and we even went out of our way to provide contact information in the source code and CSS file. I’m having a hard time finding the exact text of his message right now, but it was along the lines of “Hey, this was funny but it looks like you are deleting contact information from users’ profiles when you go to replicate the worm again. That’s not so cool.” This then led to a lot of back-and-forth between myself and Dustin where I explained the worm in detail and other holes I had found and planted worms within. He was incredibly friendly about the whole thing and we continued talking fairly frequently over AIM for a month or so. I pulled a couple more dumb stunts during this time, in particular locking up several college databases testing SQL injection holes.
At the time I was getting pretty bored with college at Georgia Southern University and really wanted to move to Silicon Valley anyway. In January of 2006 I had a friend in San Francisco who offered me an interview at his company, which seemed like a great opportunity to get out. I told Dustin about this and he immediately offered me an interview with Facebook.
Now, this seemed pretty nice and all, but this was a period in tech history where MySpace had just gone through something extremely similar–guy makes harmless XSS worm, company offers to hire him–but in their case, they had him arrested as he arrived at LAX and turned him into a convicted felon. See http://en.wikipedia.org/wiki/Samy_(XSS)
With Samy in mind I saved up a lot of extra cash and brought a friend with me to California to help in case things went south at the “interview.” But everything was uneventful up until I was standing outside Facebook’s office in Palo Alto. At that point I got pretty worried they’d change their tune once I got inside. I got in the elevator, it went up to the 2nd floor where I was to meet Dustin, and the doors opened with Dustin–not cops–standing right in front of me. This was an enormous relief for me, with the subsequent interviews really easy on my nerves in comparison. [Dustin recently joked that “it’s just a really long con; the cops will be waiting for you!”]
I was hired right away and actually started working just a few days after the interview. Later that summer, we were able to convince Marcel to drop out of school and join. Kyle was less interested in Facebook at the time and has since graduated school and continued working on various tech projects in the political world in Washington D.C.
I will be forever grateful that the company was so sympathetic toward people like myself. It’s one of the things that really sets Facebook apart with its passion for scrappy, hacker-type engineers.