.comment-link {margin-left:.6em;}
Xavier's Security Post
Monday, December 19, 2005
  Last words on that MySpace worm (GodOfTheNoose)
I was able to learn a lot about the XSS worm that affected MySpace a few days ago, and it was a neat little experience. Especially since I was able to take a real live look at it as it actually spread, and affected users. Here are some things that are definitely known:

1) The primary issue was an unsanitized variable by the name of "TheName" which allowed the execution of JavaScript code.
2) A JavaScript (.js) file, which turns out to be a modification of JS/Spacehero-A, was loaded (remotely, from a free host site) and executed under the victims browser.
3) A Flash (.swf) file was created to execute a GetURL() GET request, which included a script src to the JavaScript file mentioned in #2.
4) In the JavaScript file, there were requests to change first, last, and display names, a message from the author was also injected, and the Flash file was embedded into the victims profile.

In essence, visiting an infected profile got you infected. Now, before in my earlier post I said the worm was unsuccessful -- it turns out it did infect and inject itself into as many as 450,000 MySpace users. MySpace has clearly fixed the issue with the unsanitized variable, but as the author of the XSS worm told me -- there are many vectors of attack on the popular website.

One has to wonder though, both JS/Spacehero-A (Samy's worm) and the author of GodOfTheNoose (a variant of JS/Spacehero-A) were non-malicious pieces of code that went as far as editing contents of the victims profile. Will there ever be a situation where a malicious author takes it upon (him|her)self to automate deletions of victim accounts, profile contents, account details? Is MySpace doing anything to prevent further attacks? What can we learn from these mistakes, on behalf of the MySpace developers?

Comments: Post a Comment

Links to this post:

Create a Link

<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /