Sunday, February 1, 2009

MySpace touchy to threats through XSS

During the past months had been reported a vulnerability in the popular MySpace social networking through which through a type of XSS attack (Cross Site Scripting) is possible spread malware or commit other malicious acts such as theft of profiles.

XSS is a type of scripting attack that seeks to exploit vulnerabilities in application code that interpret HTML, and while MySpace added some layers of protection to prevent such attacks as the block of the script tag, the flaw allows bypasses blocking so an attacker could insert and execute a malicious script as follows:

Despite that through this failure reflects the information, and security profiles of users, MySpace makers seem to view the side and that the vulnerability has not yet been resolved.

The problem was reported by its discoverer Daniel Lo Nigro on January 19 this year, who left an example of "script insertion" done without getting any response from MySpace.

http://www.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=446695851

It's not the first time and surely not the last, that MySpace is suffering from insecurity through scripting attacks. How serious the matter is that it makes complete availability information, profiles and security of its users.

# Jorge Mieres

No comments: