[WEB SECURITY] MySpace advert infects visitors with spyware

Jeremiah Grossman jeremiah at whitehatsec.com
Wed Jul 19 14:09:52 EDT 2006


MySpace has had its share of bad press recently and this one appears  
particularly significant.

Hacked Ad Seen on MySpace Served Spyware to a Million
http://blog.washingtonpost.com/securityfix/2006/07/ 
myspace_ad_served_adware_to_mo.html

"An online banner advertisement that ran on MySpace.com and other  
sites over the past week used a Windows security flaw to infect more  
than a million users with spyware when people merely browsed the  
sites with unpatched versions of Windows, according to data collected  
by iDefense, a Verisign company."


The malicious advertisement was hosted by a third-party,  
DeckOutYourDeck.com. Its unclear whether or not they intended this or  
someone hacked their machines. The result is the same in either case.  
In my "Cross-Site Scripting Viruses & Worms" white paper I briefly  
describe this attack vector.
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf


"As XSS virus and worm writers increase their level of  
sophistication, they’ll begin looking for areas within websites that  
give immediate access to the most web browsers. The most popular  
websites, including those with community-driven content, will  
continue to be the primary targets." ... "But there is also another  
subtler target--third-party providers of web page widgets including  
advertising banners, weather and poll blocks, JavaScript RSS feeds,  
traffic counters, etc."


What's becoming clear is we need view third-party website content as  
"potentially hostile". Those including MySpace should do more to make  
sure their includes are safe. Otherwise they'll be unwittingly  
serving up more mass malware and XSS attacks to visitors.


Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.
www.whitehatsec.com
----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list