Basically the worm was XSS embedded in someone’s profile on MySpace. When someone would view the profile, they would execute the Javascript in their own browser. The payload of the XSS was Ajax which would make GET and POST requests to MySpace, adding the XSS Payload to that user’s profile. This spreads the worm!

We couldn't do that before Google forced the introduction of javascript http requests to all major browsers. :o

It is the same story all over again. A technology gets an update, people get more toys to hack with. Sweet. :)

RE: BetaNews | Cross-Site Scripting Worm Hits MySpace