[WEB SECURITY] MySpace XSS+Phishing attack using Movies

Jason Muskat, GCFA, GCUX, de VE3TSJ Jason at TechDude.Ca
Mon Dec 4 15:39:36 EST 2006


Hello,

If one searches for YouTube for videos on being hacked one can find videos
documenting successful attack vectors. Most recently, users receive an
internal message, akin to an email, which bounces them to an ³popup-error²
page which then proceeds to delete all the victims video posts.

Regards,

-- 
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason at TechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/



From: Billy Hoffman <Billy.Hoffman at spidynamics.com>
Date: Sat, 2 Dec 2006 12:45:55 -0500
To: Web Security <websecurity at webappsec.org>
Conversation: MySpace XSS+Phishing attack using Movies
Subject: [WEB SECURITY] MySpace XSS+Phishing attack using Movies

Short and sweet: HREFs with JavaScript inside of Quicktime images to modify
your profile it insert a fake login screen. pdp was talking about the a
month or 2 back. The article mentions something abouit "infecting friends"
but I'm not sure if it actually worms itself to other users. Wonder if they
are using XmlHttpRequest like Samy and Yamanner or iFrame remoting.

Original source is here:
http://blog.spywareguide.com/2006/12/myspace_phish_attack_leads_use.html

Enjoy,
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics: http://www.spidynamics.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061204/875b41c0/attachment.html>


More information about the websecurity mailing list