This past weekend, popular social networking site MySpace suffered from a self-propagating virus in its personal profile system. By simply visiting an infected profile, you could have your own MySpace profile overwritten with code that would infect others.
Like any high profile site that hosts user-generated content, MySpace must balance the sometimes conflicting requirements of freedom and security. MySpace, for example, goes to great lengths to block users from publishing in their profiles JavaScript code, which could forge requests on behalf of any user that visited the affected page.
One concession to user freedom that MySpace makes, however, is to allow its users to display Flash movies using <object> and/or <embed> tags. And that's what led to this past weekend's spate of overwritten and infected profiles.
A curious developer dissected the MySpace virus, revealing the method of attack. A Flash movie can execute JavaScript code by instructing the browser to load a URL beginning with javascript:. MySpace aggressively filters this type of URL out of the HTML content on its site, but it can't keep such URLs out of Flash movies.
The JavaScript code in the virus is able to retrieve a couple of cookies stored in the victim's browser and use them to forge a request to overwrite the victim's MySpace profile page. Because the victim has permission to do this, so does the JavaScript code.
Adobe clearly sees this type of vulnerability as an undesirable side-effect of allowing Flash on your site, because Flash Player 9 prevents untrusted Flash movies from loading any URL into the browser window displaying the movie.
MySpace on Tuesday posted an announcement encouraging its users to upgrade to Flash Player 9. Of course, Flash Player 9 isn't yet released for Mac and Linux platforms, and it will be quite some time before all MySpace users upgrade.
In the meantime, the only way for MySpace to block this type of attack would be prevent its users from posting Flash movies, and that's clearly something it isn't willing to do.
1 Comments:
This post has been removed by a blog administrator.
Post a Comment
<< Home