MySpace Hit by QuickTime Worm

Can wildly popular social-networking sites such as MySpace.com retain an atmosphere of openness while closing the door
on malicious hackers? That’s the question being debated in the wake of an
attempt to redirect MySpace users to phishing Web sites.

In this latest assault on the News Corp.-owned MySpace, hackers attempted to
steal the user data of MySpace visitors using an Apple QuickTime video and a
vulnerability in the social-networking site.

JavaScript within the QuickTime video runs when visitors watch it. After replacing links on a user’s profile page with phishing
sites designed to appear as a legitimate MySpace login page, any user that
visits that infected profile page spreads the worm.

The phishing attack is also enabled by a cross-site-scripting error in
MySpace. Using cross-scripting commands, a hacker can create a fake site
identical to an authentic version, according to security firm Websense.

MySpace removed all infected pages and installed a filter disallowing users to include JavaScript code in their profiles, according to Dan
Hubbard, vice president of security research at Websense. Still, danger
remains for so-called Web 2.0 services, as, Hubbard said, you are handing over the reigns of security to people not in your control.

“MySpace has moved to minimize the impact on our users by identifying
the URLs that have been attempting to exploit this vulnerability, blocking
them, and scrubbing them from profiles on our site,” Hemanshu Nigam, MySpace chief security officer said in a statement.

MySpace said it asked Apple to fix QuickTime and has asked for a
criminal investigation into the phishing attempt.

Analysts used this as another opportunity to highlight vulnerabilities inherent in social networks.

“Anywhere there’s a big group of people, there are phishers,” Gartner
analyst John Pescatore said. Although not built with security in mind, “MySpace depends on trust.”

Although MySpace is not ideal for phishing for credit-card numbers,
social-networking sites are a good “vector” for adware, said Jonathan
Singer, a Yankee Group security analyst.

Earlier this year, a video entitled “Friends play a hilarious practical
joke” resulted in MySpace users receiving a flood of pop-up ads,
which slowed their computers to a crawl.

There is always a trade-off between security and usability, Singer said.
Unlike with an online bank, security isn’t
a concern for social-networking enthusiasts. If someone’s account is stolen, a user will simply make another, he said.

However, there is a level of concern among social-networking users when it comes to security. This was clear in September when Facebook users staged protests in response to a new feature that broadcasted profile updates.

News Around the Web