XSS worm

An XSS worm, sometimes referred to as a cross site scripting virus, is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that breaches browser security to propagate among visitors of a website in the attempt to progressively infect other visitors. They were first mentioned in 2002 in relation to a cross site scripting vulnerability in Hotmail.

XSS worms exploit a security vulnerability known as cross site scripting (or XSS for short) within a website, infecting users in a variety of ways depending on the vulnerability. Such site features as profiles and chat systems can be affected by XSS worms when implemented improperly or without regard to security. Often, these worms are specific to a single web site, spreading quickly by exploiting specific vulnerabilities.

Cross-site scripting vulnerabilities are commonly exploited in the form of worms on popular social or commercial websites, such as MySpace, Yahoo!, Orkut, Justin.tv, Facebook and Twitter. These worms can be used for malicious intent, giving an attacker the basis to steal personal information provided to the web site, such as passwords or credit card numbers.

Several XSS worms have affected popular web sites.

The Samy worm, the largest known XSS worm, infected over 1 million MySpace profiles in less than 20 hours. The virus' author was sued and entered a plea agreement to a felony charge.

Justin.tv is a video casting website with an active user base of approximately 20 thousand users. The cross-site scripting vulnerability that was exploited was that the "Location" profile field was not properly sanitized before its inclusion in a profile page.

...
Wikipedia