Here’s something from Insecure.org to make Rupert Murdoch choke on his muesli.
Overview
========
Myspace.com provides a site navigation menu near the top of every page.
Users generally use this menu to navigate to the various areas of the website. The first link that the menu provides is called “Home” which navigates back to the user’s personalized Myspace page which is essentially the user’s “home base” when using the site. As such this particular link is used quite frequently and is used to return from other areas of the website, most importantly from other user’s profile pages.
A content-replacement attack coupled with a spoofed Myspace login page can be used to collect victim users’ authentication credentials. By replacing the navigation menu on the attacker’s Myspace profile page, an unsuspecting victim may be redirected to an external site of the attacker’s choice, such as a spoofed Myspace login page. Due to Myspace.com’s seemingly random tendency to expire user sessions or log users out, a user being presented with the Myspace login page is not out of the ordinary and does not raise much suspicion on the part of the victim.
Impact
======
Users are unexpectedly redirected to a website of the attacker’s choice.
Users may be tricked into revealing their authentication credentials.
Affected Systems
================
Myspace.com: http://www.myspace.com
Here’s GMSV’s account:
Some MySpace users are getting their first taste of an STD — a socially transmitted disease. Identity thieves are using a vulnerability in the popular social network’s navigation to spread a particularly virulent worm that steals log-in credentials and lures users to phishing sites. Attacks begin with a rigged QuickTime video. “Once a user’s MySpace profile is infected (by viewing a malicious embedded QuickTime video), that profile is modified in two ways,” WebSense explains. “The links in the user’s page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user’s site. Any other users who visit this newly-infected profile may have their own profile infected as well.” MySpace hasn’t revealed the extent of the infection, but an informal scan of 150 user profiles by FaceTime Communications found that close to a third were infected. That same ratio probably doesn’t translate to MySpace’s 73 million registered users — if it did we’d have a Black Death-style Web pestilence on our hands. So in the end this mostly serves as a reminder that everyone needs to pay more attention to security. “We’re continuing to make the same mistakes by putting security last,” Billy Hoffman, lead engineer at Web security specialist SPI Dynamics, recently told News.com. “People are buying into this hype and throwing together ideas for Web applications, but they are not thinking about security, and they are not realizing how badly they are exposing their users.”
