Tweet

“Sarah” wrote to ask me about numerous things being “messed up on my account at the moment”, referring to her MySpace account. Turns out it’s yet another XSS (cross-site scripting bug in MySpace’s code).

We know several things thus far:

• This specific attack starts with an embedded .swf Flash file.
• The flash file uses ActionScript to send a simple GET request to an UNSANITIZED (whew, embarrassing on MySpace’s part) variable by the name of TheName.
• the GET request in #2 loads a remote .js script.
• the remote .js script then uses XML http send commands to execute the malicious part of the worm — changing first, last, and display names with “g0dOfTheN00se” and injects the malicious .swf file into several parts of the profile, including television.

The author also added a little note to users infected by the XSS worm: “MySpace Aids Is Back Bitch. Merry Christmas From ..!.g0dOfTheNoose.!.. .”

The malicious JavaScript is in a file named “SamyReloaded.js”.

The vulnerability itself is in the unsanitized variable “TheName”, which should end up embarrassing developers at MySpace, especially after that whole Samy fiasco. They shut down the MySpace site to fix unsanitized variable issues, and I guess passed right along on that one?

As for the usage of a malicious Flash file in the XSS worms propagation was actually a very interesting spreading idea. Since Flash, and other objects are embeddable and accepted on MySpace profiles — I guess the developers at MySpace did not think about ActionScript being used as an attack vector. (Xavier)

Funny, I was just talking about this a work last week — about the previous “Samy” ordeal. Kinda ironic that it should spring up again at about the same time.

Related Posts:

Busting an idiot reading a friend’s mail

Patch Tuesday

Online comments by minors protected under constitution

Power Supply issue on HP ProCurve 5400/8200 Switches

Monitoring for Blackworm with swatch