Samy Kamkar

Samy Kamkar
Occupation	Security researcher
Known for	Releasing the Samy worm, Evercookie, and iPhone, Android and Windows Mobile phone tracking research

Samy Kamkar is a security researcher, possibly best known for creating the Evercookie and the MySpace worm Samy (XSS), as well as his discovery that the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies.

Work

Samy Worm

Main article: Samy (XSS)

In 2005, Kamkar released the Samy worm, the first self-propagating cross-site scripting worm, onto MySpace. ^[1] The worm carried a payload that would display the string "but most of all, Samy is my hero" on a victim's profile. When a user viewed that profile, they would have the payload planted on their page. Within just 20 hours^[2] of its October 4, 2005 release, over one million users had run the payload,^[3] making Samy the fastest spreading virus of all time.^[4] The worm caused MySpace to crash. Kamkar pled guilty to a felony charge of computer hacking in Los Angeles Superior Court, and he agreed to not use a computer for three years. Since 2008, Kamkar has been doing independent computer security research and consulting.^[5]

Evercookie

Main article: Evercookie

In 2010, Kamkar released Evercookie, a cookie that "apparently cannot be deleted".^[6][7]

Mobile Research

Main article: Mobile phone tracking

In 2011, Kamkar discovered the iPhone, Android and Windows Phone mobile devices were continuously sending GPS coordinates, correlated to Wi-Fi MAC addresses, back to Apple, Google and Microsoft respectively.^[8][9] The iPhone would continue to send location data "even when the location services were turned off".^[10] The Windows Phone would also continue to send location data "even when the user has not given the app permission to do so". He discovered that some of this data was exposed by Google and he released Androidmap, a tool exposing Google's database of Wi-Fi MAC addresses correlated to the physical coordinates populated by Android phones.^[11]

References

1. "Cross-Site Scripting Worm Hits MySpace". Betanews. October 13, 2005. http://www.betanews.com/article/CrossSite-Scripting-Worm-Hits-MySpace/1129232391. Retrieved ~~~~~. 
2. MySpace Worm Explanation
3. "Cross-Site Scripting Worm Floods MySpace". Slashdot. http://it.slashdot.org/it/05/10/14/126233.shtml?tid=172&tid=95&tid=220. 
4. http://net-security.org/dl/articles/WHXSSThreats.pdf
5. "Background Data". The Wall Street Journal. April 22, 2011. http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html. Retrieved ~~~~~. 
6. "'Evercookie' is one cookie you don't want to bite". MSNBC. September 22, 2010. http://technolog.msnbc.msn.com/_news/2010/09/22/5157641-evercookie-is-one-cookie-you-dont-want-to-bite-. Retrieved ~~~~~. 
7. "New Web Code Draws Concern Over Privacy Risks". The New York Times. October 10, 2010. http://www.nytimes.com/2010/10/11/business/media/11privacy.html. Retrieved ~~~~~. 
8. "Apple, Google Collect User Data". The Wall Street Journal. April 22, 2011. http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html. Retrieved ~~~~~. 
9. "Microsoft collects phone location data without permission". CNET Networks. September 2, 2011. http://news.cnet.com/8301-31921_3-20100228-281/microsoft-collects-phone-location-data-without-permission-says-researcher/. Retrieved ~~~~~. 
10. "Jobs Tries to Calm iPhone Imbroglio". The Wall Street Journal. April 28, 2011. http://online.wsj.com/article/SB10001424052748703367004576288790268529716.html. Retrieved ~~~~~. 
11. "Google's Wi-Fi Database May Know Your Router's Physical Location". Huffington Post. April 25, 2011. http://www.huffingtonpost.com/2011/04/25/android-map-reveals-router-location_n_853214.html. Retrieved ~~~~~. 

External links

• Samy Kamkar's homepage
• Press relating to Samy Kamkar
• Androidmap Wi-Fi Location Tool