[Geeks are Sexy] technology news

Tuesday, December 05, 2006

Warning: Myspace.com Trojaned Navigation Menu & XSS QuickTime Worm

MySpace users beware! It seems that Internet villains have discovered yet another way to take advantage of your favorite social networking site. While browsing my daily list of reads this morning, I stumbled on this post on the Full Disclosure mailing list describing how an attacker can take advantage of Myspace's navigation menu to gain possession of your login credentials. Here are the details:

Myspace.com provides a site navigation menu near the top of every page. Users generally use this menu to navigate to the various areas of the website. The first link that the menu provides is called "Home" which navigates back to the user's personalized Myspace page which is essentially the user's "home base" when using the site. As such this particular link is used quite frequently and is used to return from other areas of the website, most importantly from other user's profile pages.

A content-replacement attack coupled with a spoofed Myspace login page can be used to collect victim users' authentication credentials. By replacing the navigation menu on the attacker's Myspace profile page, an unsuspecting victim may be redirected to an external site of the
attacker's choice, such as a spoofed Myspace login page. Due to Myspace.com's seemingly random tendency to expire user sessions or log users out, a user being presented with the Myspace login page is not out of the ordinary and does not raise much suspicion on the part of the victim.

Read more

And if this is not enough for you yet, here's something else you guys should also be aware of:

MySpace XSS QuickTime Worm

Websense® Security Labs™ has confirmed the existence of a worm spreading on the MySpace network. This worm is exploiting the Javascript support within Apple's embedded QuickTime player (1). This is used in conjunction with a MySpace vulnerability that was announced two weeks ago on the Full-Disclosure mailing list (2). The vulnerabilities are being used to replace the legitimate links on the user's MySpace profile with links to a phishing site.

Read more


Post a Comment

Links to this post:

Create a Link

<< Home