Warning: Myspace.com Trojaned Navigation Menu & XSS QuickTime Worm
MySpace users beware! It seems that Internet villains have discovered yet another way to take advantage of your favorite social networking site. While browsing my daily list of reads this morning, I stumbled on this post on the Full Disclosure mailing list describing how an attacker can take advantage of Myspace's navigation menu to gain possession of your login credentials. Here are the details:
Myspace.com provides a site navigation menu near the top of every page. Users generally use this menu to navigate to the various areas of the website. The first link that the menu provides is called "Home" which navigates back to the user's personalized Myspace page which is essentially the user's "home base" when using the site. As such this particular link is used quite frequently and is used to return from other areas of the website, most importantly from other user's profile pages.
A content-replacement attack coupled with a spoofed Myspace login page can be used to collect victim users' authentication credentials. By replacing the navigation menu on the attacker's Myspace profile page, an unsuspecting victim may be redirected to an external site of the
attacker's choice, such as a spoofed Myspace login page. Due to Myspace.com's seemingly random tendency to expire user sessions or log users out, a user being presented with the Myspace login page is not out of the ordinary and does not raise much suspicion on the part of the victim.
And if this is not enough for you yet, here's something else you guys should also be aware of:
MySpace XSS QuickTime Worm