PHPmagazine reported (Oct 17 2005):


In a quick note from Ilia Alshnetsky, "To all the people who carelessly claim that Cross Site Scripting (XSS) is not a real security problem here is definitive proof that the threat is quite real. A very creative user of MySpace, Samy created a little self propogating worm via a stored XSS attack."


"He was able to inject raw HTML into his profile by breaking the normally disallowed "javascript" into components, relying on IE to "combine" it back together. This code snippet then utilized XMLHTTPRequest, usually used for Ajax to execute a request in the background that would cause the viewer to transparently add Samy (author of the trick) to their buddy list. The "worm" component of the hack used the same code to insert the attack HTML sequence into the profiles of comprised users allowing the hack to self propagate."


If you want details, here are:
Samy's Hack Overview
Technical details of Samy's attack process