Username: Password: lost p/w?
home | help | subscribe | search | register
MySpace Alert - Your 'best friend' could be a worm!
Posted by Electronicmartin in on July 29, 2006 at 1:22 PM



http://www.f-secure.com/weblog/


Web Application Worms exploit persistent Cross Site Scripting (XSS) vulnerabilities in websites. It's a new category of malware and it's a growing concern for popular websites. Social Networking sites seem to be the most popular target as of now. MySpace has already been hit by two such worms - the Samy worm in October last year and last week's Flash worm. Samy was written by a guy who wanted to become popular on MySpace. So he designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. Last week's worm exploited a vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.

Last week MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.

All this piqued our interest and we decided to see how secure other popular social networking sites are against "wormable" XSS vulnerabilities. We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities.

Something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser expoit (maybe even a 0-day exploit) could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base...

Recommendations -

1. End users need to patch their machines. There's no excuse not to.
2. Web application developers must start taking security seriously. Yes, XSS issues are silly, easy to find and omnipresent. And XSS issues have stopped being funny for a long time now. They are a real danger with the advent of Phishing and Web Application worms that exploit a mass user base of millions of users within a very short time.


User Comments

Alternativefreddemillio
 Date: July 29, 2006 @ 8:53 PM
If you participate in anything owned by Rupert murdoch then you get all that you deserve.
AlienChillinBuzz
 Date: July 29, 2006 @ 10:14 PM
And what if the problems spread a lot further than his domain?

WMF Patch for Windows:
MS06-001
MS06-026

Note: The second link states XP SP1 & SP2 are not affected, yet in the first one it says they are. I downloaded it anyway just to be on the safe side.
Otherindependentm...
 Date: July 30, 2006 @ 7:30 PM
Download an open source version of linux or something to be even MORE safe ChilinBuzz.
AdminCodeWarrior
 Date: July 31, 2006 @ 7:44 PM
I only have eight friends (including Tomsong, Jimmy Carter, and the EFF)...so I guess the worm passed me by.
http://www.myspace.com/codewarriorz
You must be logged in to post replies to news articles.
Log in or register with the form at the top of the page.

 

 

 
search

news tree
Digital Audio Today
Company Profiles
Gear Up News
Industry News
In the News
Interviews
Looking Back
Music News
Free CD Downloads
DMusic Reviews
Gnutella & P2P
Rumor Mill
Lessons
for Beginners
Lessons by Instrument
guitar
voice
Music business and careers
Technology and Production
Video lessons
Opinion
Entertainment
Site Related
Announcements
Comics
Contests
New Features
Press Releases
DMusic Hot Tips


advertising
Place Your Link Here

Online Slots
W2 Forms
Music Video Codes
Lingerie Sexy Lingerie



 

 
© DMusic LLC - Advertising | Employment | TOS | Subscribe