[WEB SECURITY] MySpace XSS+Phishing attack using Movies

Jason Muskat, GCFA, GCUX, de VE3TSJ Jason at TechDude.Ca
Mon Dec 4 15:39:36 EST 2006


If one searches for YouTube for videos on being hacked one can find videos
documenting successful attack vectors. Most recently, users receive an
internal message, akin to an email, which bounces them to an ³popup-error²
page which then proceeds to delete all the victims video posts.


Jason Muskat  | GCFA, GCUX - de VE3TSJ
e. Jason at TechDude.Ca
m. 416 .414 .9934


From: Billy Hoffman <Billy.Hoffman at spidynamics.com>
Date: Sat, 2 Dec 2006 12:45:55 -0500
To: Web Security <websecurity at webappsec.org>
Conversation: MySpace XSS+Phishing attack using Movies
Subject: [WEB SECURITY] MySpace XSS+Phishing attack using Movies

Short and sweet: HREFs with JavaScript inside of Quicktime images to modify
your profile it insert a fake login screen. pdp was talking about the a
month or 2 back. The article mentions something abouit "infecting friends"
but I'm not sure if it actually worms itself to other users. Wonder if they
are using XmlHttpRequest like Samy and Yamanner or iFrame remoting.

Original source is here:

Billy Hoffman
Lead Researcher, SPI Labs
SPI Dynamics: http://www.spidynamics.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061204/875b41c0/attachment.html>

More information about the websecurity mailing list