An Apple QuickTime exploit is using MySpace's enormous user base to launch a blended cross-site scripting attack that, if successful, steals users' log-in credentials and installs adware on victims' machines, security researchers said today.
The fast-spreading attack took hold over the weekend and could be affecting as many as one in three of the social networking site's more than 130 million users, said Chris Boyd, director of malware research at FaceTime Communications.
"It's quite a nasty one," he told SCMagazine.com. "It's all over the place. You've just got to visit a (profile) page with a QuickTime movie on it. It is tempting to advise people to just not use MySpace until they fix it. There's an extremely high probability you will get hijacked by it."
Hemanshu Nigam, MySpace's CSO, said the site has temporarily blocked profiles that contain the flaw and has asked federal authorities to launch an investigation.
The worm attack is caused by QuickTime files that trigger JavaScript coding, he said. Once users visit profile pages containing the infected QuickTime file, the file also is embedded on their page, which simultaneously is overlaid with a fake navigation bar. Should they click on that navigation bar, they will be asked to re-enter their username and password on a rogue page hosted on a hacked server.
Malicious attackers steal these credentials to send out spam to "friends" of the victim in a section on MySpace pages that permit users to leave comments. The messages say generic things such as "what else is there to do on a Sunday" or "omg did you see this last nite." Below the text is a screenshot of a movie that is "spectacularly pornographic," Boyd said.
Should users click on the screenshot, they will be directed to pornographic site called "Vidchicks" that contains Zango adware, he said. The site's webmaster profits each time someone installs the adware.
"Obviously the reason behind this attack is financial," Boyd said. "They've gone through a lot of time and effort to spam these things across the MySpace network to drive (victims) to this site."
"The safety and security of our users is a top priority for MySpace," Nigam said in a statement. "When we learned about an issue that exploits a feature in QuickTime and unfortunately targets MySpace users, we immediately contacted Apple to engineer a fix. While waiting for Apple to release their fix, MySpace has moved to minimize the impact on our users by identifying URLs that have been attempting to exploit this vulnerability, blocking them, and scrubbing them from profiles on our site. We also have asked federal law enforcement to initiate a criminal investigation to identify and bring to justice those responsible."
Nigam told SCMagazine.com last week that the site often relies on security from third party application providers - in this case Apple. QuickTime now supports JavaScript, which allows users to "query and control QuickTime movies in a webpage," according to Apple's Developer Connection website.
But Boyd said this functionality opens the door for the attack. An Apple spokeswoman did not return a telephone call seeking comment.
Nigam said users also should be weary of logging into a spoofed MySpace site. Members should always check the address bar to ensure they are inserting their credentials on the real login page.
