An Apple QuickTime exploit is using MySpace's enormous user base to launch a blended cross-site scripting attack that, if successful, steals users' log-in credentials and installs adware on victims' machines, security researchers said today.
The fast-spreading attack took hold over the weekend and could be affecting as many as one in three of the social networking site's more than 130 million users, said Chris Boyd, director of malware research at FaceTime Communications.
"It's quite a nasty one," he told SCMagazine.com. "It's all over the place. You've just got to visit a (profile) page with a QuickTime movie on it. It is tempting to advise people to just not use MySpace until they fix it. There's an extremely high probability you will get hijacked by it."
Hemanshu Nigam, MySpace's CSO, said the site has temporarily blocked profiles that contain the flaw and has asked federal authorities to launch an investigation.
Malicious attackers steal these credentials to send out spam to "friends" of the victim in a section on MySpace pages that permit users to leave comments. The messages say generic things such as "what else is there to do on a Sunday" or "omg did you see this last nite." Below the text is a screenshot of a movie that is "spectacularly pornographic," Boyd said.
Should users click on the screenshot, they will be directed to pornographic site called "Vidchicks" that contains Zango adware, he said. The site's webmaster profits each time someone installs the adware.
"Obviously the reason behind this attack is financial," Boyd said. "They've gone through a lot of time and effort to spam these things across the MySpace network to drive (victims) to this site."
"The safety and security of our users is a top priority for MySpace," Nigam said in a statement. "When we learned about an issue that exploits a feature in QuickTime and unfortunately targets MySpace users, we immediately contacted Apple to engineer a fix. While waiting for Apple to release their fix, MySpace has moved to minimize the impact on our users by identifying URLs that have been attempting to exploit this vulnerability, blocking them, and scrubbing them from profiles on our site. We also have asked federal law enforcement to initiate a criminal investigation to identify and bring to justice those responsible."
But Boyd said this functionality opens the door for the attack. An Apple spokeswoman did not return a telephone call seeking comment.
Nigam said users also should be weary of logging into a spoofed MySpace site. Members should always check the address bar to ensure they are inserting their credentials on the real login page.