Cross Site Scripting Attack hits MySpace. Is AJAX to blame?
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391
This is pretty amazing. While not specifically an issue with AJAX, XmlHttpRequest is at the center of the problem.
First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user profile page. But MySpace stripped out the word "javascript" from any text, which would be needed to execute code.
With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code within a Cascading Style Sheet tag.
The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a "hero" to the visitor's own profile page. To do this without a user's knowledge, the code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.