[WEB SECURITY] MySpace XSS+Phishing attack using Movies

Billy Hoffman Billy.Hoffman at spidynamics.com
Sat Dec 2 12:45:55 EST 2006

Short and sweet: HREFs with JavaScript inside of Quicktime images to modify your profile it insert a fake login screen. pdp was talking about the a month or 2 back. The article mentions something abouit "infecting friends" but I'm not sure if it actually worms itself to other users. Wonder if they are using XmlHttpRequest like Samy and Yamanner or iFrame remoting.

Original source is here:

Billy Hoffman
Lead Researcher, SPI Labs
SPI Dynamics: http://www.spidynamics.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061202/203ed690/attachment.html>

More information about the websecurity mailing list