RealTime IT News

MySpace Hit by QuickTime Worm

Can wildly popular social-networking sites such as MySpace.com retain an atmosphere of openness while closing the door on malicious hackers? That's the question being debated in the wake of an attempt to redirect MySpace users to phishing Web sites.

In this latest assault on the News Corp.-owned MySpace, hackers attempted to steal the user data of MySpace visitors using an Apple QuickTime video and a vulnerability in the social-networking site.

JavaScript within the QuickTime video runs when visitors watch it. After replacing links on a user's profile page with phishing sites designed to appear as a legitimate MySpace login page, any user that visits that infected profile page spreads the worm.

The phishing attack is also enabled by a cross-site-scripting error in MySpace. Using cross-scripting commands, a hacker can create a fake site identical to an authentic version, according to security firm Websense.

MySpace removed all infected pages and installed a filter disallowing users to include JavaScript code in their profiles, according to Dan Hubbard, vice president of security research at Websense. Still, danger remains for so-called Web 2.0 services, as, Hubbard said, you are handing over the reigns of security to people not in your control.

"MySpace has moved to minimize the impact on our users by identifying the URLs that have been attempting to exploit this vulnerability, blocking them, and scrubbing them from profiles on our site," Hemanshu Nigam, MySpace chief security officer said in a statement.

MySpace said it asked Apple to fix QuickTime and has asked for a criminal investigation into the phishing attempt.

Analysts used this as another opportunity to highlight vulnerabilities inherent in social networks.

"Anywhere there's a big group of people, there are phishers," Gartner analyst John Pescatore said. Although not built with security in mind, "MySpace depends on trust."

Although MySpace is not ideal for phishing for credit-card numbers, social-networking sites are a good "vector" for adware, said Jonathan Singer, a Yankee Group security analyst.

Earlier this year, a video entitled "Friends play a hilarious practical joke" resulted in MySpace users receiving a flood of pop-up ads, which slowed their computers to a crawl.

There is always a trade-off between security and usability, Singer said. Unlike with an online bank, security isn't a concern for social-networking enthusiasts. If someone's account is stolen, a user will simply make another, he said.

However, there is a level of concern among social-networking users when it comes to security. This was clear in September when Facebook users staged protests in response to a new feature that broadcasted profile updates.