CATEGORIES
- NYC COVERAGE
- WEB STARTUPS
- WEB NEWS
- CONFERENCES
- WEB TECH JOBS
- VENTURE CAPITAL
- MICROSOFT
- INTERVIEWS
- ADVERTISING
- VIDEO
- ALL TOPICS
- ALL COMPANIES
CONTRIBUTORS
- ADRIAN CHAN
- ALICIA NAVARRO
- ALLEN STERN
- CORSIN CAMICHEL
- DRAMA 2.0
- DARREN HERMAN
- HANK WILLIAMS
- MARK DAVIS
- RICK TUROCZY
- SANFORD DICKERT
- SHANNON CLARK
- Comment on Breaking: Yankee Fan Tweets Boston Red Sox Fan by Alex Wilhelm
- Comment on Breaking: Yankee Fan Tweets Boston Red Sox Fan by Holden Page
- Comment on Breaking: Yankee Fan Tweets Boston Red Sox Fan by ss
- Comment on My life without Google by USA Celebrates Its Independence; We All Celebrate Our Google Dependence | CenterNetworks
MySpace Hacked Using Simple HTML Exploit - Alicia Keys and Others Targeted
It appears a new hack and exploit has appeared on MySpace - Alicia Keys profile is affected along with a variety of others to-date. The hack and exploit is pretty simple but very "deadly". Basically a user puts a link to the infected ste with just a simple href tag (no script tag) using some css to position the element anywhere that an element doesn’t already live. So if you mis-click, you get sent to the infected site and it prompts you to install a codec to listen to Alicia’s music. Of course it’s not a codec, it’s some sort of virus.
Roger Thompson from Exploit Prevention Labs sent over the following information and video.
Roger tells us it’s MySpace that has been hacked, as opposed to the bad guys getting the usernames and passwords of a few bands (other bands hit include "Greements of Fortune," a French funk band, "Dykeenies," a rock band from Glasgow, and several others.
When a visitor visits the infected page, they’re first hit by an exploit (which installs malware in the background if they’re not fully patched against the latest security vulnerabilities), and next they’re presented with a Fake Codec which tells them they need to install a codec to view the video. So even if they’re patched, they can fallvictim to the exploit.
Perhaps most interesting, the bad guys are using a creative hack we haven’t seen before: The HTML in the page contains some sort of image map, which basically makes it so you can click on anything over a wide area on the page and your click is directed to the malicious hyperlink. We tested it and even the ads were affected.
Here is a video overview of the exploit. PLEASE DO NOT CLICK THE LINK ON ALICIA’S PAGE.
http://www.macworld.com/news/2007/11/01/myspacehack/index.php
and whats more, the guy who found it has been hammering myspace since then to get this shut down. im not really interested in security stuff unless its myspace, so i cant work out how these new guys wouldnt have been aware this story wasnt all over the news last week, especially as the guy who found it is a well known security researcher.
We should not click anything suspicious there.
hackers aren’t idiots
it’s you guys who use Internet Explorer are the idiots
if your talking about security on the internet, why don’t you try a secure browser
http://getfirefox.com
^^^ Firefox isn’t safe either, fyi. Though it is safer than IE. I recommend firefox with noscript and adblock if you care.
Corey:
Don’t be a fool. It’s not a browser exploit. The malicious site however does target IE specifically. So in that sense T is right on the money.
T:
The exploit isn’t using a script. It’s basic HTML and CSS.
This is OLD news.
Slightly different twist on an existing vulnerability.
Hacks like this has been on MySpace for a while now.
Just browse thru random profiles & look at the comments.
I’d say easily 1 out of every 4 has a phony embedded video link.
You know the vids with the girl just about to take her top off or the kids fighting, you click it to see the video and instead of video, you get a variety of malware or phishing attempts, most all from .cn domains.
At this stage, MySpace should simply ban anything trying to redirect to a .cn domain, my bet is %99 of those are malicious.
test
That’s not a exploit, this is just fucking nothing. Stop advertasing..
2 words…
Job security.
We also have tools on our site that detect that hack, as well.
Markus Diersbock
You mean all those Macy’s ads and free iPod offers disguised as personal messages are fake?
I must be logged in to do that? Wait, aren’t I already logged in?
I want my free macy’s bag, iPod, and some hawt videos of college girls in super low res. yeah!@
Since when do you need a codec to play a FLASH VIDEO anyway?.
Seems like messages are 90% abuse and spam on myspace. i generally delete the person sending them to me.
this isn’t new really, but maybe its new to the author.
I like “idiots? yes” reply. What a loser. lol
i <3 firefox and open source of the world. good thing i dont like alicia keys.
“It’s very interesting stuff and it’ll catch a bunch of people.”
lol! That was my favorite line of the whole video, the way he said it in sort of monotone was hilarious
I am tagging you a troll. Stupid browser war BS. Not even getting involved *cough* Opera *cough*.
Assuming that any browser, System, Or O.S. Is more secure based solely off of past performance is similar to trusting in ’security through obscurity’. There are MANY exploits that have targeted Firefox, Opera, netscape, safari, and of course IE. The reason you see so many on Internet explorer is twofold. 1. updates are less frequent, since its closed development, closed source. 2. Despite the advantages to other browsers, it is still the most used browser. Hackers take demographics into account and often depend on deception, social engineering, and outwitting their ‘prey’. Develop for the platform / browser that effects the most people… WinXpsp2, Iexplorer 7. Thats how vuln research goes.
I think you mean, “That’s not aN exploit…”, Ali G.
So basically the developers of MySpace didn’t think it was nesscessary to escape html code being entered in comments.
This is a known problem, it’s been a known problem for many years. Incompetence is a wonderful thing.
Dude, grow up and change over to Firefox. No more activex shit. Come over to Linux and no more unauthorised software. Life’s easy with Firefox and Linux !! :)
Firefox CSS is still very limited compared to IE’s almost unrestricted CSS capability.
People who do not pay attention and do not think before clicking deserve what they get. Because I believe any sane person would (should) think something is up as soon as a Chinese website came up. Alicia Keys is not Chinese. And she doesn’t sing Chinese tunes. That would have made me go back and definitely say no to a codec install. When I know good n well that MySpace’s player does not require a codec, just a flash plugin.
To may stoopid people on the net.
this one is a very new twist on the famous old swf & jpg infected file redirects…this is why software developers and publishers have to leave proprietary standards and adopt open source standards. Paying for software is what is causing all of this bs…if the code is out in the open, subject to review by all involved, then doing stupid things like these hackers would be impossible.
linux is not easy to install, i’ve tried installations on several computers, different distros too, i always run into some crazy problem then i have to hunt forever on message boards for the solution and the solution is always in CS major speak, and there are tons of lines of potentially disastrous code they want you to put in, which i have done, then it messes it up worse. i love open source, i really wish linux was easy to install but its not, in fact i have a computer here that won’t even boot because i tried to install puppy linux and it was suggested i copy GRUB to the MBR, now the only solution i know of is to fix the MBR with windows, i wish i could get it to work though. openSUSE was really nice when i was using that.
More information about the files that are installed through the security hole:
http://freefixer.com/blog/myspace-exploit/
Stop your bitchin and grow up.
You guys argue like a married couple.
Try Ubuntu with the live installer, it only takes like 5 clicks and you’re done.
MySpace did it again. Myspace displaying Virus infected ADS, which take advantage of a known Windows and Internet Explorer Bug.
Just a Few minutes ago, Youtube Deleted one of my videos where I talked about this issue, claiming copyright infringement.
copyright infringement? Not according to the copyright law, ยง 107. Limitations on exclusive rights: Fair use38
After the Virus auto installs on computer, Various trojans, Rogue antiviruses such as WinAntivirus, are installed on the computer. Spyware and adware. (So far, I’ve counted over 30 Different types of virus installed if left alone)
This has affected MySpace users for about 18 months, since I first detected this issue. It has been reported and ignored. (And now CENSORED)
On November 18th, I was finally able to catch it on Video, I have posted the video on Youtube as a proof of this.
Firefox is not affected by this.
I could not catch firefox on video since it Froze but unlike Internet Explorer, it prevented this DRIVE-BY download to happen.
HERE is the URL for the Video.
http://www.youtube.com/watch?v=QwYobN0YeC4
Firefox and Internet Explorer had promised to FIX this Bug with their latest browser releases. Firefox did, Internet Explorer has not.
In order to make this video possible, all settings on the browsers were set to default settings and most likely Windows Updates turned off by default. Just like Millions of computer users have it.
Among the most famous Myspace users being hacked lately, Alicia Keys