A malicious video on MySpace.com pages changes people's profiles when played, embedding itself and adding links to fraudulent Web sites, experts have warned.
The video is a rigged QuickTime file that exploits a MySpace vulnerability and support for JavaScript in Apple Computer's embedded media player, Web security firm Websense said in an alert posted on Friday.
When played by a MySpace user, the video adds itself to the user's MySpace page and replaces the links on the user's profile with links to phishing Web sites, Websense said. Phishing sites are fraudulent sites that attempt to trick people into giving up sensitive information such as log-in credentials.
A MySpace representative on Monday said she could not immediately comment on the worm.
MySpace, owned by News Corp., is a popular social-networking Web site that is estimated to have more than 70 million registered users. The worm exploits a common type of Web vulnerability called a cross-site scripting flaw in the site along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts said.
"It seems that we have a MySpace worm on our hands, using a malicious QuickTime MOV file to spread," Mikko Hypponen, chief research officer at security company F-Secure, wrote in a blog posting Saturday.
The rigged QuickTime movie includes some JavaScript code that will be run automatically when an infected page is viewed with Internet Explorer, Hypponen wrote. This snippet of code modifies the user's MySpace profile. "After that, everybody who visits your MySpace profile gets hit too," he wrote.
The same happens when viewing an infected page with Firefox, according to a CNET News.com reader who had his MySpace profile compromised.
The object of the attack appears to get people to visit the phishing Web sites. These pages are crafted to look like MySpace log-in pages and prompt users to enter their MySpace credentials, according to F-Secure.
This is not the first threat to hit MySpace. Miscreants have exploited the popularity of the Web site before to steal personal information and to spread adware. Also, some MySpace users have exploited weaknesses in the site to boost their fame.
Experts have warned that as Web sites are becoming more interactive, security needs to be to be top-of-mind, not an afterthought. The development momentum for many sites is all about features, with protections being neglected, they have said.
An infected MySpace page will include links to the fraudulent Web sites and a blue navigation bar that is not typically found on MySpace pages, according to researchers at FaceTime Security Labs.
"If this is the case, you will need to clean out your profile and check if any of your friends have also been infected," Chris Boyd, director of malware research at FaceTime, wrote in a blog post.
Google's figured out a way to bring the power of graphics processor-powered hardware acceleration to some older computers, while Chrome 19 dev starts supporting the latest JavaScript code.
A new Apple lawsuit takes aim at Motorola Mobility in the U.S. for breaking a contract both companies have with Qualcomm for the license of one of its wireless patents.
A study by Harlequin--yes, the romantic-book people--says more women are sending naughty texts (shocking) and that 27 percent have sent a nude picture via e-mail or text.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
In spite of the boom in smartphone sales, there still seems to be a market for dedicated portable media players. Apple's iPod Touch is the leader, but what about some alternatives for the Android fans? CNET surveys the options.
Join the conversation