Cross-Site Scripting (XSS) Examples: The 3 Worst Attacks Ever

By Tibor Moes / Updated: June 2023

Cross-Site Scripting (XSS) Examples: The Worst Attacks Ever

Cross-Site Scripting (XSS) Examples

Imagine you’re a delivery person with a package addressed to an apartment complex. The doorman isn’t there, so you leave the package at the front door. A passerby sees it, adds a ‘special gift’ inside, and you’ve unwittingly delivered a ticking time bomb. This, in essence, is Cross-Site Scripting (XSS).


Cross-Site Scripting, or XSS, is a type of security vulnerability where a malicious script is injected into trusted websites, enabling an attacker to steal data, manipulate web content, or carry out other harmful actions.

Example 1 – MySpace (2005): Perhaps one of the most notorious XSS attacks was the “Samy is my Hero” worm on MySpace. A user named Samy Kamkar exploited an XSS vulnerability to inject a worm that made people automatically add him as a friend and proclaim “Samy is my hero” on their profile. Within 24 hours, Samy had over one million friends!

Example 2 – TweetDeck (2014): In 2014, TweetDeck, a social media dashboard app for managing Twitter accounts, fell victim to an XSS attack. An innocuous-looking tweet containing a script caused users who viewed the tweet to retweet it automatically. This case is an example of Stored XSS, demonstrating how the vulnerability can quickly spread virally on social platforms.

Example 3 – British Airways (2018): Hackers exploited an XSS vulnerability on the British Airways website to steal customer data. The attackers injected malicious code that redirected users to a fraudulent site, capturing customer details and payment information. The attack affected 380,000 transactions and resulted in a £183 million fine for the airline.

Don’t become a victim of cybercrime. Protect your devices with the best antivirus software and your privacy with the best VPN service.

Cross-Site Scripting (XSS) Examples In-Depth

A Friendly Face: The Tale of MySpace and Samy (2005)

Imagine being able to instantly become everyone’s best friend. Exciting, right? In 2005, a user named Samy Kamkar found a way to make that digital dream a reality, but in a way that would shake up the entire landscape of web security.

Samy, the protagonist of our story, was a regular user of MySpace, the social networking site that was all the rage in the mid-2000s. As he navigated the cyber hallways of this virtual hangout spot, Samy noticed a flaw, a chink in the armor of the website’s defenses. This flaw is known as an XSS, or Cross-Site Scripting, vulnerability.

Think of XSS vulnerabilities as an unchecked mailbox in an otherwise secure house. While the doors and windows may be locked, this little opening allows for unexpected, and potentially harmful, content to be delivered.

Equipped with his knowledge of coding, Samy decided to explore this digital ‘mailbox’. He wrote a script, a small piece of computer programming, and hid it inside what appeared to be a harmless profile update. This script was a worm, a self-replicating piece of code, which could automatically copy itself onto other profiles.

Here’s where the magic happened: whenever someone viewed Samy’s profile, the worm would leap from his profile into theirs. Once it landed in their profile, it would replicate itself again, spreading like a virtual contagion. This worm didn’t just hop across profiles, it also posted a message on the infected user’s profile saying “Samy is my hero,” and added Samy as a friend.

It was a digital flash mob that unfolded over 24 hours. Starting with just one friend, Samy’s network expanded exponentially. By the end of the day, he had over one million new friends, each proclaiming him as their hero!

But there’s a twist. Although this might sound like a humorous prank, the event had serious implications. It highlighted a significant security flaw that needed addressing, not only in MySpace but across all websites. This event led to a greater awareness about web security and the potential harm that XSS attacks can cause, even when orchestrated by a friendly face like Samy’s.

From then on, digital platforms started taking a closer look at their security systems, to ensure no one could ‘befriend’ their entire user base in one fell swoop. The “Samy worm” served as a wakeup call to the world of web applications, underlining the importance of maintaining robust security to keep users safe from the potential havoc of Cross-Site Scripting.

And that, dear reader, is the tale of the first-ever major XSS attack. As we proceed through the annals of cyber history, we’ll see more such incidents, each bringing to light the ever-evolving challenge of keeping our digital spaces safe and secure. But for now, let’s take a moment to appreciate the unexpected lesson from Samy: that even in the realm of cyber security, sometimes it takes a “hero” to show us where our vulnerabilities lie.

A Tweet Too Far: The TweetDeck Incident of 2014

Imagine being at a vibrant party where everyone’s excitedly chatting away. Suddenly, one guest stands up and whispers something. The next thing you know, everyone’s repeating those same words like a catchy chorus. Bizarre? Absolutely! Yet, that’s exactly what happened in the cyber sphere during the TweetDeck incident of 2014.

In the bustling digital city that is Twitter, TweetDeck acts as a personalized command center, a dashboard that lets users manage their tweets and conversations with ease. Back in June 2014, though, this command center came under an unusual attack.

A 19-year-old Austrian named Florian coded a tweet that, unbeknownst to most, had a hidden script embedded within it. This script was the digital equivalent of an infectious whisper, a whisper that spread across the party and made everyone parrot Florian’s words.

To understand how this happened, we need to dive into the concept of Cross-Site Scripting, or XSS. Think of XSS as a ventriloquist’s act, where the attacker (the ventriloquist) tricks a website (the puppet) into delivering a harmful script to the users’ browsers. In the case of TweetDeck, the puppet was Twitter and the unsuspecting party-goers were the users.

Now, back to our party. Florian’s tweet was more than just text; it was a Trojan Horse hiding a little piece of code. As users viewed the tweet on TweetDeck, this script hopped over into their browsers, whispering to them to retweet the same message automatically. The result? Thousands of users unknowingly started tweeting Florian’s original message, thereby spreading it even further.

To their credit, the folks at Twitter quickly cleaned up the mess, disabling TweetDeck for a brief period to get the situation under control. But this event served as a stark reminder of the potential of XSS vulnerabilities to cause digital pandemonium.

The TweetDeck tale is a compelling case study in the world of web security. It demonstrates the necessity of robust security measures to keep users safe from XSS attacks. From Florian’s single tweet grew a cascade of whispers, a cascade that should remind us all of the importance of vigilance in the dynamic realm of cyber security.

Stay with us as we delve further into the chronicles of Cross-Site Scripting, illuminating the lessons learned and the progress made. For now, though, let’s hold onto the echoes of Florian’s tweet – a memorable whisper in the cacophony of our digital conversations.

A Turbulent Flight: The British Airways Breach of 2018

Picture this: You’re at an airport, ready for a trip. You hand over your passport, your ticket, your credit card. You trust that your information will be kept safe. But unbeknownst to you, a sneaky pickpocket has slipped into the crowd and is quietly swiping your details. This is the essence of the British Airways (BA) incident of 2018.

The BA breach wasn’t about airplanes or in-flight service; it was about data security in the airline’s web applications. An uninvited digital pickpocket found a way to infiltrate BA’s otherwise secure cyber environment, resulting in a turbulent journey for both the airline and its customers.

This intrusion was the work of Cross-Site Scripting (XSS), a method where attackers secretly insert harmful scripts into web pages. To continue with our analogy, if websites were airports, then XSS would be the unauthorized entry of a disguised trespasser, blending in with the crowd while causing havoc.

In the case of BA, this disguised trespasser had a specific agenda: to pilfer the payment data of the airline’s customers. The attacker injected a malicious script into BA’s website and app. This script functioned like a digital relay race, passing the users’ data from the BA website to a fraudulent site operated by the attackers. Each time a customer made a booking or changed their information, their personal and payment details were surreptitiously captured and sent to the attackers.

The breach was vast, affecting around 380,000 transactions. It was like a large-scale digital heist, which went unnoticed until the damage was done. The consequences were severe, both for the customers, whose data was compromised, and for BA, which ended up facing a hefty fine of £183 million for the breach.

The BA incident is a stark reminder of the real-world impact of XSS attacks. It underscores the importance of vigilance and robust security measures in safeguarding user data. The incident prompted digital platforms around the world to re-evaluate and fortify their security defenses.

So, as we wrap up our tour of XSS incidents, remember the lessons from the BA breach. In our interconnected world, the responsibility to ensure digital security is more critical than ever. Let’s continue our journey through the world of web security, armed with the knowledge that staying one step ahead of the sneaky digital pickpockets is the key to a smoother, safer flight in the cyber skies.

Conclusion: Lessons From the World of XSS

As we navigate through the intricate web of online security, the stories of Samy’s MySpace adventure, the TweetDeck whisper, and British Airways’ turbulent flight serve as illuminating beacons. They highlight the fascinating, yet potentially disruptive, role that Cross-Site Scripting (XSS) plays in our digital ecosystem.

Through these tales, we’ve seen how XSS, disguised as a friendly face or a harmless tweet, can swiftly infiltrate our secure spaces, causing everything from harmless pranks to serious data breaches. Yet, these incidents are not simply stories of cyber mischief or digital theft; they’re lessons in resilience and evolution in the face of ever-changing security threats.

The digital landscape continues to grow, and with it, the challenges of ensuring user safety. However, armed with awareness and knowledge, we’re better equipped to tackle these challenges. In this journey, understanding XSS is not just about knowing how Samy became everyone’s hero, or how a tweet turned into a chorus, or how an airline navigated a storm. It’s about staying one step ahead of the hidden threats, ensuring that our digital experiences remain secure and trustworthy.

So, as we close this chapter on XSS, let’s remember the lessons these incidents teach us. After all, the adventure through the annals of web security is a continuous journey, one where the pursuit of safety is our ultimate destination.

How to stay safe online:

  • Practice Strong Password Hygiene: Use a unique and complex password for each account. A password manager can help generate and store them. In addition, enable two-factor authentication (2FA) whenever available.
  • Invest in Your Safety: Buying the best antivirus for Windows 11 is key for your online security. A high-quality antivirus like Norton, McAfee, or Bitdefender will safeguard your PC from various online threats, including malware, ransomware, and spyware.
  • Be Wary of Phishing Attempts: Be cautious when receiving suspicious communications that ask for personal information. Legitimate businesses will never ask for sensitive details via email or text. Before clicking on any links, ensure the sender's authenticity.
  • Stay Informed. We cover a wide range of cybersecurity topics on our blog. And there are several credible sources offering threat reports and recommendations, such as NIST, CISA, FBI, ENISA, Symantec, Verizon, Cisco, Crowdstrike, and many more.

Happy surfing!

Frequently Asked Questions

Below are the most frequently asked questions.

What's the difference between Stored XSS and Reflected XSS?

Stored XSS attacks occur when the malicious script is permanently stored on the target server, like what happened in the MySpace Worm. When users access that stored information, the script is executed. On the other hand, reflected XSS attacks happen when a user inadvertently sends the malicious script to the server via a link or form, and it’s immediately returned and executed, not stored.

How can I protect myself from XSS attacks?

Regularly updating your browser and using reputable security software can protect you from many XSS attacks. It’s also advisable to disable JavaScript on sites you don’t trust. Be cautious of suspicious links, and consider using script-blocking extensions for added security.

Are websites doing anything to prevent XSS attacks?

Yes, most websites implement several security measures to prevent XSS attacks, including input validation, output encoding, and using security headers. Despite this, no system is entirely foolproof, and new vulnerabilities can be discovered over time. That’s why it’s crucial for web developers to stay up-to-date on the latest security practices.

Author: Tibor Moes

Author: Tibor Moes

Founder & Chief Editor at SoftwareLab

Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.

Over the years, he has tested most of the best antivirus software for Windows, Mac, Android, and iOS, as well as many VPN providers.

He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.

This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.

You can find him on LinkedIn or contact him here.

Security Software

Best Antivirus for Windows 11
Best Antivirus for Mac
Best Antivirus for Android
Best Antivirus for iOS
Best VPN for Windows 11

Cyber Threats

Advanced Persistent Threat (APT)
Adware Examples
Black Hat Hacker
Botnet Examples
Brute Force Attack
Business Email Compromise (BEC)
Computer Virus
Computer Virus Examples
Computer Worm
Computer Worm Examples
Credential Stuffing
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) Examples
Cross-Site Scripting (XSS) Types
Crypto Scam
Cyber Espionage
Cyber Risk
Cyber Squatting
Cyber Threat
Cyber Threat Examples
Cyber Threat Types
Cyberbullying Examples
Cyberbullying Types
Cybercrime Examples
Cybercrime Types
Cyberstalking Examples
Data Breach
Data Breach Examples
Data Breach Types
Data Leak
DDoS Attack
DDoS Attack Examples
Deepfake Examples
Doxxing Examples
Email Spoofing
Exploit Examples
Exploit Types
Fileless Malware
Grey Hat Hacker
Hacking Examples
Hacking Types
Identity Theft
Identity Theft Examples
Identity Theft Types
Insider Threat
IP Spoofing
Keylogger Types
Malicious Code
Malicious Code Examples
Malware Examples
Malware Types
Man In The Middle Attack
Man in the Middle Attack Examples
Online Scam
Password Cracking
Password Spraying
Phishing Email
Phishing Email Examples
Phishing Examples
Phishing Types
Ransomware Examples
Ransomware Types
Rootkit Examples
Security Breach
Session Hijacking
Smurf Attack
Social Engineering
Social Engineering Examples
Social Engineering Types
Spam Examples
Spam Types
Spear Phishing
Spear Phishing Examples
Spoofing Examples
Spyware Examples
SQL Injection
SQL Injection Examples
SQL Injection Types
Trojan Horse
Trojan Horse Examples
Watering Hole Attack
Whale Phishing
Zero Day Exploit
Zero Day Exploit Examples