[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] MySpace advert infects visitors with spyware

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] MySpace advert infects visitors with spyware
Date: Wed, 19 Jul 2006 11:09:52 -0700

MySpace has had its share of bad press recently and this one appears particularly significant.

Hacked Ad Seen on MySpace Served Spyware to a Million http://blog.washingtonpost.com/securityfix/2006/07/ myspace_ad_served_adware_to_mo.html

"An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company."

The malicious advertisement was hosted by a third-party, DeckOutYourDeck.com. Its unclear whether or not they intended this or someone hacked their machines. The result is the same in either case. In my "Cross-Site Scripting Viruses & Worms" white paper I briefly describe this attack vector. http://www.whitehatsec.com/downloads/WHXSSThreats.pdf

"As XSS virus and worm writers increase their level of sophistication, they’ll begin looking for areas within websites that give immediate access to the most web browsers. The most popular websites, including those with community-driven content, will continue to be the primary targets." ... "But there is also another subtler target--third-party providers of web page widgets including advertising banners, weather and poll blocks, JavaScript RSS feeds, traffic counters, etc."

What's becoming clear is we need view third-party website content as "potentially hostile". Those including MySpace should do more to make sure their includes are safe. Otherwise they'll be unwittingly serving up more mass malware and XSS attacks to visitors.


Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.
www.whitehatsec.com
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: Re: [WEB SECURITY] analyzing web application attack data
Next by Date: [WEB SECURITY] PayPal XSS Exploit available for two years?
Previous by thread: [WEB SECURITY] analyzing web application attack data
Next by thread: [WEB SECURITY] PayPal XSS Exploit available for two years?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site