MySpace Bug Hunt Gets Off to a Slow Start

A group of hackers has kicked off its month of MySpace vulnerabilities, which it hopes will make more of a splash than January's month of bugs for Apple Inc.'s software.

But they acknowledge they've started off with a softball, as the first one revealed on Sunday isn't too dangerous, they wrote.

The problem involves URL (Uniform Resource Locator) spoofing. An attacker could build an official-looking MySpace page using MySpace's CSS (Cascading Style Sheets) editing features that's designed to solicit a person's log-in details. The fake page could have a URL that reads "www.myspace.com/PasswordReset."

The problem is credited to mybeNi websecurity.

"Note, it's a pretty light one, seeing how today is Sunday, and we don't really expect the crack MySpace Security Squad to actually do a lot of code changes on Sunday," they wrote. "So, we went with one they probably don't care about, and isn't terribly dangerous on its own."

The hackers, who go by the names Mondo Armando and Müstaschio, have said they picked MySpace for their project for its high number of users. MySpace had 64.4 million unique visitors in February, according to comScore Networks, which tracks Web site traffic.

The hackers have informed MySpace of the project, they said.

"They are adhering to the company line that they do not respond to inquiries regarding security," one of the hackers wrote in an e-mail to IDG News Service.

The "month of bugs" theme has been criticized as gimmicky and, sometimes, just not that exciting. Others have done the "Month of kernel bugs" and "Month of PHP bugs" projects. The month of Apple bugs, which ran throughout January, turned up flaws but nothing too alarming.

But MySpace might prove more fertile. It has frequently been targeted by hackers since a single compromised account can open a door to potentially hundreds of thousands of other users, which can be targeted with spam or infected with malicious code.

In December, a worm rapidly spread across user profiles using a cross-site scripting weakness and a feature within Apple's QuickTime multimedia player.

Users who visited another MySpace profile could be infected by viewing an embedded QuickTime file, which could then begin an attack to capture the user's log-in details.

If the MySpace vulnerabilities aren't that thrilling, the hackers said it could aid the end of month-long bug-finding sprees.

"If it kills this Month of Whatever fad, then hurray for everyone, it's over," they wrote on their Web site.

Subscribe to the Best of TechHive Newsletter

Comments