Video Screencast Help
Security Response

MySpace Shockwave Flash Hack

Created: 18 Jul 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:58:40 GMT
Eric Chien's picture
0 0 Votes
Login to vote

The recent Yahoo! Mail worm, JS.Yamanner@m , is symptomatic of our increased usage and reliance on Web applications. This past weekend we saw a similar attack, but this time it was on the MySpace social networking site. Web applications are just as vulnerable to certain exploits, and even more so in some cases. In particular, services that allow people to author and post content under the service domain must always neuter any active content such as Javascript. MySpace fails to do so, allowing an attacker to automatically hijack any user's MySpace page as soon as they visit an infected MySpace page.

The attack works by using an embedded Shockwave Flash file. The MySpace site allows members to post embedded content, such as movies and Shockwave Flash files, via an HTML “embed” tag. Shockwave Flash files can contain scripting that is simply a variant of JavaScript (known as Action Script). In this case, the malicious Shockwave Flash file would send the command to start a MySpace blog post and parse the page for the viewing member's session ID parameters. With the session ID parameters, the code can do anything the viewing MySpace member can do, such as adding content to their page. The action script simply sends a request to modify the member's profile page, and then inserts an embed link to the malicious Shockwave Flash file. This way, any time another MySpace member views the newly infected page, their page then becomes infected—and so on, and so on—allowing the threat to self-replicate.

These threats are interesting because they are not “classic” threats where you must download content, save it, and execute it from your machine. These threats do not modify your local machine, but they replicate solely within the context of the service provider (in this case MySpace). So, they don't infect your machine per se, but they do infect your virtual space on the service provider's servers; leaving nothing for local machine security products such as antivirus or desktop firewalls to scan for after the space has been infected.

Thanks to http://www.chaseandsam.com/ and kinematic.theory for the initial heads-up.