Video Screencast Help
Security Response

MySpace Shockwave Flash Hack

Created: 18 Jul 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:58:38 GMT
Eric Chien's picture
0 0 Votes
Login to vote

The recent Yahoo! Mail worm, JS.Yamanner@m, is symptomatic of our increased usage and reliance on Webapplications. This past weekend we saw a similar attack, but this timeit was on the MySpace social networking site. Web applications are justas vulnerable to certain exploits, and even more so in some cases. Inparticular, services that allow people to author and post content underthe service domain must always neuter any active content such asJavascript. MySpace fails to do so, allowing an attacker toautomatically hijack any user's MySpace page as soon as they visit aninfected MySpace page.

The attack works by using anembedded Shockwave Flash file. The MySpace site allows members to postembedded content, such as movies and Shockwave Flash files, via an HTML“embed” tag. Shockwave Flash files can contain scripting that is simplya variant of JavaScript (known as Action Script). In this case, themalicious Shockwave Flash file would send the command to start aMySpace blog post and parse the page for the viewing member's sessionID parameters. With the session ID parameters, the code can do anythingthe viewing MySpace member can do, such as adding content to theirpage. The action script simply sends a request to modify the member'sprofile page, and then inserts an embed link to the malicious ShockwaveFlash file. This way, any time another MySpace member views the newlyinfected page, their page then becomes infected—and so on, and soon—allowing the threat to self-replicate.

These threats are interesting because they are not “classic” threatswhere you must download content, save it, and execute it from yourmachine. These threats do not modify your local machine, but theyreplicate solely within the context of the service provider (in thiscase MySpace). So, they don't infect your machine per se, but they doinfect your virtual space on the service provider's servers; leavingnothing for local machine security products such as antivirus ordesktop firewalls to scan for after the space has been infected.

Thanks to http://www.chaseandsam.com/ and kinematic.theory for the initial heads-up.