Filed under: Software, Internet, Apple, Security
MySpace blames Apple and QuickTime for hacked accounts
A malicious QuickTime movie made the rounds across MySpace profiles last weekend, altering user profiles and changing links on their pages to redirect to phishing websites crafted to look like MySpace logins. The movie, CNET reports, actually capitalized on a MySpace flaw and QuickTime's legitimate support for JavaScript to craft what has been dubbed the Quickspace attack. It is also worth noting that while this movie could infect users who simply viewed a compromised page, the attack (as far as we know) only works on IE and Firefox in Windows (in other words: if you're on a Mac, you can resume your regularly scheduled MySpace obsession). Yesterday, MySpace's chief security officer Hemanshu Nigam contacted Apple to request a fix to plug the hole, even though it was a flaw of MySpace in combination with a legit feature of QuickTime that caused all the damage. Apple is reportedly working on a fix, but for now the two companies have ironed out some workarounds, such as blocking all the phishing URLs and scrubbing their network for compromised profiles.
On a side note: what exactly does one gain from harvesting MySpace account logins? Wouldn't oh, say, credit card numbers be a little more productive? I know there's a lot of kids out there who bank on whether they're in some people's top 8 spaces, but I'm still having a hard time seeing how or why phishers would deal in the same currency.
Thanks Daniel
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
Ben Buckner said 12:42PM on 12-06-2006
Regarding your last question, the theory is that many MySpace users use the same password for their MySpace page as they do for other, more important web pages (such as bank accounts). If a phisher can get that password, they can get into all kinds of sensitive data. Even if only one percent of MySpace users have the same password for their MySpace page as they have for other important sites, that's still thousands and thousands of potential ID theft cases.
What's even more scary are the quizzes and surveys that make the rounds on MySpace. Buried in a bunch of other questions are things like "Your pet's name" and "Your middle name." These are things that are often used as secret password questions and whatnot, further opening MySpace users up for ID theft.
Reply
ZuDfunck said 12:50PM on 12-06-2006
I thought the same thing when the stories I read mentioned Quick Time. It's a conspiracy! Yeah right. It is a media player with sophisticated properties, not a Grassy Knoll!
Reply
Josh said 1:08PM on 12-06-2006
While kinda humorous, I guess, I wouldn't belittle any successful phishing exercise on such a mass scale. Any personal information could easily be used by malicious types to perform social engineering attacks on victims. How many people use their kid or dog's name as a password? How many people probably have such info plastered all over their MySpace page. An attack like this could make a follow-up attack much more likely to succeed.
Reply
Maimon Mons said 12:41PM on 12-06-2006
You would be surprised how many people use the same login name and password on a large number of unrelated sites.
Reply
Alex said 12:47PM on 12-06-2006
They also do it for advertising purposes.
Reply
Matt said 1:05PM on 12-06-2006
It's not really about identity theft, compromising bank accounts, or stealing credit card numbers. The whole idea is very similar to harvesting email addresses.
Phishers use your account information to run scripts and spam others. They tend to message a bunch of people about a product or post an advertisement as a bulletin from "you".
The whole thing is really very easy to avoid and/or clean up if you're a fairly web savvy person, but because MySpace makes it fairly difficult to view the bulletins you've posted and the messages you've sent it often goes unnoticed.
Reply
Daniel said 2:52PM on 12-06-2006
Yay, my tip got on here!
Anyways, the reason they hacked accounts was (like said in above comments) for advertisement. Ive had some friends accounts advertising internet dating while others were advertising cheap PS3's and Ringtones.
Reply
Charles said 3:47PM on 12-06-2006
As we noted at http://blogs.guardian.co.uk/technology/archives/2006/12/04/myspace_worm_exploits_quicktime_weakness_to_steal_logins_and_plant_spyware.html a day or so ago, the purpose is to divert people to fake MySpace sites so that Zango ad/spyware can be loaded onto their machines.
This is a Quicktime flaw: the mov file changes settings on the user's computer. I'd say that was a file that's getting above itself, since where exactly did you grant it that sort of execute/write permission on your settings? Those should have some sort of box around them. (Doesn't matter if you're running as an admin or simple user; it alters your settings.)
Reply
Robert said 12:32PM on 12-07-2006
Such a flaw allows a malicious attacker to deploy crimeware to unsuspecting users by placing malicious content onto compromised MySpace profiles. Such crimeware could include spyware, keyloggers, trojans and other nasties automatically installed onto the PC of anyone who visits the compromised users' MySpace profile. Once installed, any task performed on the now compromised user PC would be subject to monitoring or worse, modification . . . such as compromising that users' MySpace profile (to propagate the vulnerability) then targeting their online banking logins and transactions.
Reply
Huggs said 9:51PM on 12-07-2006
Claiming that this isn't a problem with QT is ridiculous. This sounds *exactly* like what Microsoft did with Windows - leave dangerous functions, that virtually no one uses, turned on by default. Sure it's a feature and was absolutely intentional, it was just very, very stupid.
Reply
george said 12:18PM on 12-07-2006
Charles... by your definition most browsers are broken as well. Since if I were to put a automatically opening javascript link in this text, I could drive you to a page where you could infect your computer with Zanga using only your browser.
All quicktime does is allow the execution of code to direct users to a page as if it were a browser. This is no more Apple's fault than it is Mozilla's or Microsoft's.
The problem is with MySpace's codebase and how it does not check for "broken" embeds that allow false javascript commands to get into the parameter strings for the embedded object.
Users can turn off quicktime's ability to let sites do this, just as I can in Firefox or IE.
Reply
Horatio Taft said 12:58PM on 12-09-2006
george -
A web browser is designed to view web sites. It makes sense that it should support JavaScript.
QuickTime is a movie player. It is not a web browser. It should not have JavaScript support or act to hijack your web browser and push you into sites you may not want to go to.
This is borderline Malware activity.
Reply
rtx242 said 12:35AM on 1-19-2007
It is natural that kids will hack myspace, because that is where their attention really is, not credit cards.
We have heard about every kid who got caught, a small fraction of a percentage of kids caught hacking were guilty of monetary theft or manipulation folks. In a country of some 300 million people, that percentage does not logically correspond to the volume of criminality.
Most credit card hackers and virus/worm writers, by percentage, are likely high end organized crime or government agency/military operatives (if there is a difference.) Not just ours but theirs too.
Time to grow up and smell the cup of coffee from which 'malicious hackers' really drink.
rtx242
Reply