Hackers Target MySpace and Facebook

Stony Stevenson writes "The security firm Fortify Software has warned against a series of attacks against Facebook and MySpace. Buffer overflows that enabled hackers to exploit the Aurigma ActiveX image uploading software used by social networking sites were at the heart of the assault. 'Criminal hackers now view social networking sites as their best target for attacks ... [partially because] such sites are designed to be usable by "unsophisticated" consumers, meaning that the barrier to entry for attacks is potentially lower as users are more likely to click on a link that leads to malware.'"

Just what kids on Myspace and Facebook need...

[Cryophallion]

to see tons of goatse images from stupid hackers thinking they are funny and cool.

Re:Just what kids on Myspace and Facebook need...

[Corpuscavernosa]

Unlike some sites I visit regularly, I've never been goatse-ed on Myspace... :)

Re:Just what kids on Myspace and Facebook need...

[themushroom]

Is a goatse different than puckering, making a faux 'thoughtful' face with hand on chin, and making a gang-style hand sign that means nothing a dozen times into the webcam with poor lighting in the photo gallery?

I can't really tell the difference.

Re:Just what kids on Myspace and Facebook need...

That or the high contrast, high angled shot used to conceal the true hideousness that really lurks behind that keyboard. Combined with the eye straining colour schemes, animated flame/skull GIFs, crap rock/rap "music", self important prose and juvenile diatribe it's like hell on the web.

It's no wonder I have always viewed sites such as Myspace as a place for emo kids seeking attention and losers who use it to pick up on fat chicks (and vice versa).

Re:Just what kids on Myspace and Facebook need...

[palegray.net]

Not really much threat of goatse images, but a signficant threat of arbitrary remote code execution for Windows users.

Re:Just what kids on Myspace and Facebook need...

[Brian+Gordon]

I've had seven different passwords and they've got them all so far.

Re:Just what kids on Myspace and Facebook need...

[Entropius]

You obviously don't need a password, then.

Just buy a dog.

Re:Just what kids on Myspace and Facebook need...

[themushroom]

Scamming on the fat chicks: ...has not yet worked for me. ;-)

Re:Just what kids on Myspace and Facebook need...

What if they blow up my yellow van :(

Re:Just what kids on Myspace and Facebook need...

[adona1]

Ah, they don't need to be be hacked to have Goatse on their Myspace, just to link directly to images & annoy the site owner.

Re:Just what kids on Myspace and Facebook need...

Then obviously you need a bigger dog.

Re:Just what kids on Myspace and Facebook need...

[0100010001010011]

I did this for some hotlinkers. I posted a funny picture on a website and forgot about it... months later I find that it's been hotlinked on a few hundred profiles. People were putting it on each others 'wall', etc.

I was no longer using it. The link I set it up for had been changed, so I replaced it with hello.jpg.

Hotlinkers beware, I spend $$ on my bandwith, at the very least download the photo and upload it to imageshack or some other service.

Re:Just what kids on Myspace and Facebook need...

banana1, banana2 banana3, banana4, banana5, banana6 and banana7
How much more secure can it be?

Re:Just what kids on Myspace and Facebook need...

Your basic mistake is that you have not closed your curtains.

Internet Explorer based exploit

[prajjwal]

I assume this is an internet explorer based exploit? http://www.kb.cert.org/vuls/id/776931

Re:Internet Explorer based exploit

[kcbanner]

Yea, its ActiveXploit at work :/

Re:Internet Explorer based exploit

[vespacide2]

What exactly does it give you control of?

A buffer overflow enabled hackers to exploit the Aurigma ActiveX image uploading software used by Facebook, MySpace and other social networking sites,

Can anybody explain (loosely) how it works?

Re:Internet Explorer based exploit

[palegray.net]

Well, according to this page it allows execution of arbitrary code on the victim's machine. Whatever the user's account permits them to do, the code could do, up to and including actions permissible by other unpatched vulnerabilities on the client machine.

Re:Internet Explorer based exploit

[cmacb]

I sure hope so, as I've never heard of the Origami plug-in, and I hope they don't make such a thing for Linux.

But seriously... why do I have to run an application on my PC to upload a photo? I take these nice bazillion pixel photos and Facebook after doing endless minutes of something, turns them into postage stamps. Why don't Facebook users just upload their pics to a real photo site and then throw a sheep at all their friends with the URL branded on it. Their whole infrastructure is disgustingly lame.

House of cards.

Re:Internet Explorer based exploit

[palegray.net]

Origami plugin? Does it fold your keyboard into a three dimensional swan? Surely you meant the Aurigma ImageUploader plugin.

Re:Internet Explorer based exploit

[vespacide2]

thank you for the link.
so one would have to have this thing installed (or does it come with ie?)
You wouldn't have to try and upload anything to myspace? (or other?)
would the exploit be in an image file?

Re:Internet Explorer based exploit

[palegray.net]

The ActiveX control doesn't come with IE; it's hosted on the servers that provide the social networking service and loaded into your browser when you elect to upload an image to your profile. What I find really interesting is the date this vulnerability was first published: 02/04/2008 11:26:53 AM

Re:Internet Explorer based exploit

[Entropius]

I've wondered about that too. Facebook fails at image processing.

Re:Internet Explorer based exploit

[palegray.net]

Maybe so, but Facebook wins at helping ambitious young "entrepreneurs" add Facebook users' computers to wonderful distributed computing networks. Unfortunately, these networks aren't exactly devoted to curing cancer...

Re:Internet Explorer based exploit

[name*censored*]

Sure they are, they're curing cancer by attrition! Nothing makes me want to shoot myself more than my PC crawling at 1 fps...

Re:Internet Explorer based exploit

[whitehatlurker]

You're in luck. There is an ActiveX plugin for Firefox (and other browsers too).

Hurry! Install now! Be the first in your subnet to be pwned by an ActiveX eXploit.

HEY!

[Corpuscavernosa]

Check out this AWESOME site! They're giving away all these FREE ringtones!!! I don't even know how they do it!!!

(received as a comment on my page this morning)

Re:HEY!

[Corpuscavernosa]

Noticing my offtopic mod, perhaps I didn't tailor my comment quite properly. There is rampant hacking of accounts for phishing and advertising purposes. One account will get hacked, then using that account, the hacker then sends out bulletins (mass emails to all friends) or comments saying to "click here" for numerous purposes including hacking future sites to send out more ads. When clicking on these sent out comments or bulletins, there will often be a phishing page where it looks like the user has logged out and needs to re-enter login and password info. Additionally, the unwitting 14 year old gives out his/her cell phone number and unknowingly signs up for a ringtone plan that is charged to their cell phone bill usually to the tune of $30/month.

The hacks are pretty interesting as they are socially viral and not necessarily driven by sofware or the transmission of a virus.

Maybe I need to RTFA, but this type of hacking has got to be the most prevalent type on Myspace.

Re:HEY!

[pxc]

My sister's account has been sending out bunches of these lately, even when she herself is asleep. I changed her password and scanned her machine for viruses, as well as removing a bunch of Facebook "apps". Didn't do anything for it.

Anyone know anything more about this?

Re:HEY!

[dave562]

It might have modified the actual HTML code on her page. It hasn't happened to me yet, but I've heard of people who get to the point where they basically need to blank their page and reset it to the default one with no code on it what so ever. A lot of the code templates that people use to add backgrounds and what not to their pages are full of exploit code.

Re:HEY!

A lot of the code templates that people use to add backgrounds and what not to their pages are full of exploit code. Almost all myspace pages are absolute crap because people use stupid template websites that provide garbage code.

Re:HEY!

[psyconius]

This kind of defeats the point of hacking sadly..

Let's attack the social norm just to sell more stuff anyway! Hooray for progress!

"Legitimate" businesses target young people too.

[gnutoo]

Cable, telco and banks and apparel vendors all have young people in their sites. Predatory lending credit cards, special internet "deals" with students and massive advertising budgets that should make the companies involved blush, are aimed at people ages 14 to 25.

Why? because that's where the money is.

Why do the theives use ActiveX exploits? Because they can.

Sheep, meet Mr. Slaughter. Mr. Slaughter .... gross!

A Troll's Dream

Oh man, a slashbot troll's dream -- do I start ranting about myspace and their userbase or do I start ranting about activex?

Re:A Troll's Dream

[badboy_tw2002]

Tie them into a rant about hacker != cracker and you've got a troll triple word score!

Re:A Troll's Dream

[vux984]

Mod parent awesome.

Not only did he invoke one of the slashdot holy wars to complete his trifecta, but managed to quietly work in an IP controversy by referencing scrabble/scrabulous which itself is just the result of the buzz surrounding an app on a social networking site like facebook/myspace thereby completing a circular reference and ending up exactly where we started.

At the very least he should get 50 bonus points for using all his letters! :)

(And if you look closely, so did I.)

Re:A Troll's Dream

[rtb61]

Hmm, troll, from the way you keep using this word I do not think you know what it means. http://en.wikipedia.org/wiki/Forum_troll. So by your and the parents and grandparents reference, these topics are in fact 'popular' and accepted topics of ill repute. So quick review of the definition, will basically define yourselves as trolls rather than those posters who are making sound criticisms of the social network forums and M$ active X controls and, perversely enough I could be accused of feeding the trolls. So to get back on topic.

What the hackers are doing is clearly targeting the same user base that the social networks are targeting, the young, immature and willing gullible marketing victims. So unlike the lie the social book marketing sites are not targeting those who are too young to enter into legally binding contracts and capable of making mature higher risk behaviour decisions, the crackers (criminal hackers?) success clearly defines the main consumer base of those web sites, those that are the most susceptible to modern corporate mass marketing techniques.

The lessons of the day are, use social networking sites with extreme care and that you are a bloody idiot if you load active-x controls into firefox ;).

Re:A Troll's Dream

and you've got a troll triple word score! Is that from the SCABaCUSS game? You know the one Hasbro and Mattel have a problem with!

That...

[MikeRT]

And with the way that people spew out personal information on Facebook and MySpace, they probably figure that if they get it just right, there's the potential to hit the motherload of information for identity theft.

Re:That...

[palegray.net]

Given the fact that it's a client-side issue, it's far more likely the attackers are looking to achieve two goals with this sort of exploit:

1. Turn the client computer into a zombie, which participates in the attacker's efforts to spew out spam and scan networks for machines vulnerable to other exploits.
   
   
2. Scan the user's local machine and any network shares for "interesting" data that might be used to compromise financial institution accounts.
   
   
3. Capture login information on the local machine and relay it to the attacker.

The contents of the user's MySpace or Facebook profile information probably ranks rather low on the list of useful information.

Re:That...

[Orion+Blastar]

Read the article, it was the image uploading ActiveX control that got exploited. Chances are that people who uploaded images recently and ran Internet Explorer that used the ActiveX control might have gotten their password and personal information stolen. Those Windows users who use Firefox should know that Firefox does not support ActiveX controls unless the user installed an ActiveX Plugin that allows limited ActiveX controls to be used. If the user did not install the ActiveX Plugin, I seriously doubt they got hit with this exploit if they used Firefox.

Linux, Macintosh, BSD Unix, and Non-Windows systems do not support ActiveX controls anyway so it is mostly Windows systems that are effected by the exploit, and only Windows users who use Internet Explorer and not those who use Firefox.

I am guessing that a lot of 12 to 24 year olds that have their own credit card or their parent's credit card or bank account or somehow work an have their own bank account are the ones targeted by this, as people aged 12 to 24 are most likely to use Windows with Internet Explorer and not know about the exploits out there, and just surf and click on anything they want.

A lot of family members and friends have children aged within that range who use their family's computer and after it gets so infected with malware that they cannot use it, they call me to come over and fix it for them. Nope, Linux, BSD Unix, or switching to a Mac is not an option for them, in some cases I switched them to Linux only to have them make me switch them back to Windows because certain web sites only work with Internet Explorer, or certain games they bought won't run under WINE or they have no idea how to configure WINE to run them for them. Dual-Booting just confuses them more, as does running Windows in a virtual machine. If they bought a Mac, a few weeks later they'd tell me to remove OSX off it and put Windows on it. So basically, they stick to Windows and Internet Explorer, even if I install Firefox for them. Also I install the Google Pack with StarOffice, but of course they want MS-Office instead because their friends and co-workers don't know how to open up ODT open text format documents, and they keep forgetting to "Save As" into MS-Word 97-2002 Format so their coworkers and friends can read their documents.

Re:That...

[palegray.net]

Chances are that people who uploaded images recently and ran Internet Explorer that used the ActiveX control might have gotten their password and personal information stolen. For the love of Pete, it's a remote code execution vulnerability. We're talking about a lot more than a use's MySpace password getting lifted. Why couldn't the submitter be bothered to provide a link that actually describes the issue in detail, instead of just a sensationalist news article that gives virtually no technical information?

Re:That...

[LilGuy]

Many of the programs that turn a host into a zombie also scan it for bank information and other types of stored information as well as keylogging. The potential for disaster is enormous.

Re:That...

[palegray.net]

Did I miss something here, or does your comment repeat points 2 and 3 in my post?

Re:That...

[Orion+Blastar]

For the shock and awe value, to fool a majority of the people into thinking that their Myspace and Facebook accounts got hacked and they might be a possible target of identity theft.

What they don't know is that it is a remote exploit that a hacker can use in an email or web page by giving an embedded link to Facebook or MySpace that contains URL data that will exploit the ActiveX control used for image uploading by those web sites so that it runs code on their Internet Explorer to steal information, install a trojan, whatever the exploit code does.

Cert says to turn off ActiveX controls in Internet Explorer until the problem is fixed. But I guess the best advice is to use Firefox instead, and don't click on any emails or web forms unless you know it is not a scam email (Thunderbird knows how to check for those scam emails, BTW) or phishing web site (Firefox and IE both have phishing toolbars now to check for that as well).

It doesn't take much intelligence to spot a fake email or phishing web site, most of the time they spell words wrong, or the images don't look right, or the HTML code is messed up, or they put in a "word salad" to try to get past spam filters.

Re:That...

[El+Lobo]

And if it's their choise to use Windows, you have not even the right to try to install Linuzzz or OZX on their computers. Let people use what they wat for pete's sake!

Re:That...

You can set Star/Openoffice to always save as .doc/.xls - do that and rename the icons "Word" and "Excel" and 9 och out 10 people below average computer users never notice the difference...

Re:That...

[Orion+Blastar]

I suppose you are right. But I wanted to show them that there was an alternative to Windows out there, and they wanted to try it. So I did install Linux for them, but they made me put Linux back on their PC.

Linux, BSD Unix, Mac OSX doesn't always work for most people, they need the ability to run native Windows programs and an emulator or virtual machine only slows them down or confuses them. Dual-Booting also confuses them as they try to run or install Windows programs under Linux, Mac OSX, etc. The only real choice for them is ReactOS when it is finally finished and out of alpha and beta testing. At least it can run native Windows programs and use native Windows drivers.

Still they are my family members and friends and need me help to fix Windows when it gets broken, so it is hard to tell them NO even if they keep messing up their Windows by making bad choices/actions.

Re:That...

[LilGuy]

No you're right... but I must've accidentally hit reply to your comment instead of the one I intended to.

My bad.

In other words..

[glavenoid]

In other words, social networking website users are more prone to social engineering attacks. But I state the obvious...

Seriously though, who here actually granted MySpace or Facebook access to your email account in order to find your "friends"? Anything else (the social website has access to) is butter in the frosting

It really amazes me just how much personal information people are willing to put on the internet these days. Even if said information is not explicitly granted to a particular website, a great deal can be inferred by people's, for lack of a better term, "blogging" habits.

Re:In other words..

[palegray.net]

In other words, social networking website users are more prone to social engineering attacks. While your comment may be a nifty play on words, if you're going to use the term "social engineering," you really ought to use it in the right context. This is a system vulnerability attack, not to be confused with social engineering attacks. Somewhere Kevin Mitnick is frowning.

Some info and blocking instructions

Lulz[myspace.com] has written a pretty good MySpace blog entry
[myspace.com] about this, along with some protection and removal instructions if needed(in the
comments and in my post also). One of this guy's hobbies is exposing
MySpace scammers. He actually predicted about a week ago that an
exploit like this would happen. Friend him if you have a MySpace. I
can't tell who came up with this information first, Lolo or these guys
but Lolo may have gotten there first. Either way you need to read his
blog posts if you use MySpace...

Please note that you can be infected by this virus by simply viewing an infected profile. It doesn't matter what browser you use, I was using Firefox 2.0 with AdBlockPlus and a decent filterset updater and was infected. I DO NOT believe it steals your password without going to the fake login page. So if your profile gets infected you are probably fine simply removing it

Here's how to prevent it:

        Use the FIND command or CTRL F to find the word LOGIN.

        It starts with this line of code ... I have stripped out the first "

                style type="text/css"
                div table td font { display: none }
                div div table tr td a.navbar, div div table tr td font { display: none } .testnav { position:absolute; top: 136px; left:50%; _top: 146px

        The code was at the very end/bottom of my ABOUT ME section.

        It then continues with an obvious line of code for the menu choices. I stripped out the code and the page is fine ... FOR NOW!

To truly protect yourself you need to adblock the offending Quicktime object - or better yet all .mov files.

Re:Some info and blocking instructions

Does this guy really think people aren't smart enough to hover over links before clicking them...here on /.?

Re:Some info and blocking instructions

Smart or not, they keep clicking!

Hackers?

[InvisblePinkUnicorn]

Hackers? I remember hacky sacks from when I was a kid! Are these the same thing? *clicks link to find out*

READ: Myspace + Facebook users are noobs.

The exploit in question also targets IE/win, so that's another pool of potential and likely noobs (or already zombies, easier).

That's not a computer problem, that's pebcak entirely. Some people will always be vulnerable no matter which browser they use.

When you get down to it, I don't mind them targeting these sites at all... because I would never go there. Ever.

huh?

[pak9rabid]

[partially because] such sites are designed to be usable by "unsophisticated" consumers you don't say

so what you are saying is....

[timmarhy]

... dumb people shouldn't have the internets?

Re:so what you are saying is....

[webmaster404]

No, dumb people shouldn't use an insecure browser such as IE. Really, just using Firefox takes your threats down by a good 75% even if you are using Windows.

Re:so what you are saying is....

[timmarhy]

60% of all statistics are made up everyone knows that,kent

Re:so what you are saying is....

This is the second time I've seen your sig like that; it's beginning to annoy me. Please, for the love of geeks everywhere, insert a 'possibly' in there.. and try to do it in the right place!

Re:so what you are saying is....

[dbIII]

... dumb people shouldn't have the internets?

The problem is how do we spot them? They won't all be posting under their real name and using that horrible typo "internets".

Re:so what you are saying is....

[J_Doh!]

love the sig.

Re:so what you are saying is....

[timmarhy]

thanks, i think it's lost on most people unfortunately.

Re:so what you are saying is....

[cjb658]

60% of all statistics are made up everyone knows that,kent

Oh, someone told me it was 80%

Re:so what you are saying is....

[smooth+wombat]

They won't all be posting under their real name and using that horrible typo "internets".

Easy, everyone that uses "your" instead of "you're" are the dumb ones. Find them, and things should calm down.

Re:"Legitimate" businesses target young people too

[palegray.net]

young people in their sites The word you were looking for is "sights" :). All improper usage aside, while I don't disagree with the sentiment of your post, it's important to note that the style of exploitation being discussed differs in that it's highly illegal and completely indiscriminate in nature. It's also more than likely that the sources of these attacks are individuals operating from jurisdictions outside the reach of U.S. law enforcement, which makes punishing the offenders sort of difficult.

Do your friends and family a favor: educate them on the inherent risks present in the software applications they use on a daily basis. Computer security starts with the user acting in a responsible manner to secure his/her system. If securing the system proves too difficult or time-consuming, maybe it's time to try a different system.

Re:"Legitimate" businesses target young people too

[slater86]

we're not exactly talking about the most sophisticated users on these sites. Why wouldn't they prey on the obviously easy targets.

Stop the presses...

[owlnation]

... Facebook et al has unsophisticated users?

... ActiveX is an insecure technology?

I'm shocked I tell you!!!

Seriously though, doesn't this happen every day? Why is this more newsworthy than the the usual background level of social network hacking attempts and ActiveX suckiness?

Re:Stop the presses...

[cbart387]

It's not. But neither is news on (a) Vista (b) iPhone (c) XML etc. In addition to a meta-moderate a meta-edit would be good as well ;)

In other news...

[Grimbleton]

Water is wet and the sky is blue.

Honestly, who is this "news" to/for?

Re:In other news...

[krotkruton]

...for people who don't know that the internet can be "dangerous"?

But seriously, half of me agrees with you since this should be completely obvious, but the other half knows that people like my mom still don't realize it's risky to open an eCard even if it comes from someone she knows. If these "news" stories keep getting out there, maybe the thick-headed people out there will finally get the picture... then again, if they haven't gotten it by now, this type of thing just makes them more scared instead of aware of what they're doing.

AOL users of

[Bullfish]

the 90's are the equivalent of most facebook etc users today. Unsophisticated is being kind, it's a gullibility farm.

Re:AOL users of

[TehZorroness]

There still are AOL users :S

Re:AOL users of

They were promoted with the advent of myspace.

This is going to sound harsh, but..

[kn0tw0rk]

one is responsible for ones choices/actions, and if you've tried to help them but they choose to be ignorant or dismiss these problems it is THEIR OWN FAULT. Eventually they will either learn from the lessons of being pwned or they will suffer.

Re:This is going to sound harsh, but..

[Orion+Blastar]

That is the way that a majority of people on this planet are. They don't learn from their own choices/actions and keep making the same choices/actions over and over again, and people like me have to clean up after them. That is the way my jobs have been for the past thirty years, each computer job I had to clean up after someone else's mess. I had to debug code that makes no sense much less won't compile without errors, into something that actually works and doesn't crash systems within a week or two. No flowcharts, no documentation, hardly any help from anyone, no support from management. Either do it or get fired. Management usually had no idea how programs work, and mostly hire the people they like instead of those qualified for the job. Then the other programmers take smoke breaks to light up a joint, write sloppy code as a result, and then the managers hand it over to me to fix it and make it work. But the stoners get the pay raises and promotions and work with new projects while I get stuck on the "legacy" work. When I worked as a technician, before I was a programmer, people would mess up their own computers mostly by not shutting them down before powering them off, or installing some software neither the company nor employee owns but it damages the system in some way.

I ran two computer companies, and you'd think that people always having problems by using their computers improperly would make more money than a Ghostbusters business in getting rid of ghosts would. But people tend not to pay their bills after you fix their systems, and make the same bad choices/actions as they did before and get infected again. My fault for not having a credit card machine and being nice and offering credit and no terms and pay when you have the money, etc.

Life is like that, a majority of the people in the USA make bad choices/actions. They don't save money for retirement, have unprotected sex with multiple partners and get STDs and AIDS as a result, eat fast food like there is no tomorrow and wonder why they are overweight, do more drugs than Cheech and Chong and wonder why they are so sick as a result, ignore their children and don't raise them right and wonder why they grow up to be sociopaths and do school shootings or end up in a gang, but someone has to fix all of that. The rest of the world is no different. People just don't take responsibility for their choices and actions anymore, and just blame someone else. They act as if George W. Bush ruined their career, made them sick, etc but ignore that it was their own choices/actions that made them the way they are and George W. Bush had nothing to do with 20, 30, 40, years of their own stupidity. In fact we elected a scape-goat instead of a President every four years anyway. Someone to blame for when things go wrong.

Facebook rolled out a fix quickly

[steveha]

Facebook reacted quickly when the news broke. I'm not sure why this is a story now.

http://secwatch.org/advisories/1020254/

steveha

Repeat??

Criminals Attacking Myspace, Facebook IE Plugins

Dupe

[ElizabethGreene]

This was just up like 3 days ago.

-ellie

Windows should be illegal

Windows should be illegal to use, no matter the version. Piece of shit software made by a convicted monopoly.

Not just client-side ActiveX issues on Facebook

[StuffedFrogYK]

May I mention that hacking Facebook takes no real effort? Simply manipulating a browser's client side input forms (using Firebug, maybe) allows one to post to any Superwall (Faceboo application) whether you are the person's friend or not. Anonymous attakers could put links posing as coming from people's friends on the people's Superwalls. Reasoning: If it comes from my friend, it must be good and safe. The click-rate becomes much higher, and an attacker has just used a form of social engineering to lead people to a malware site. Most applications are not built with security in mind. They just (fatally) assume that the end user would never do such a thing. Dream on, app developers!

Re:Not just client-side ActiveX issues on Facebook

Is there any such exploit for Orkut?

Hackers target ActiveXploit

[SpaceLifeForm]

The fact that they are social networking sites just means
that the sites are stupid, and they have stupid users that
use an insecure platform that provides the vector.

Already caught by the cops

[lixee]

One of them was thrown in jail for 3 years. http://blogs.zdnet.com/threatchaos/?p=545/

Oh, wait...nevermind.

Code Audit

[giafly]

"Had Facebook and MySpace required Aurigma to provide proof of a code audit before sourcing the plug-in this latest security issue could have been avoided," he said.

If only I could find a company to sell me a "code audit". It sounds so much better than just testing my code properly.

Because browsers have poor upload abilities

[AaronLawrence]

This looks like a good opportunity to rant a little about the abysmal uploading support built into browsers.
With all the effort going into interactive sites, AJAX, user communities, media distribution and so on, the actual process of uploading files to a site is just as crap as it was in 1995.

In both IE and Firefox, the sum total of the upload user interface is a text box with a browse button, followed by an almost unnoticeable progress indication in the status bar. If anything goes wrong, the upload is aborted, in some unknown state, and can't be restarted. There is no way to upload more than one file except by the web page author manually coding in duplicate entry fields.

Why is this acceptable as the basic way for users to contribute images, videos, documents, etc to the amazing new web2.0 universe?

I do realise that security is a concern here, but a bit more effort from browser vendors would help users a lot.

Re:Because browsers have poor upload abilities

[zuperduperman]

Not to disagree, but do have a look at YUI's file upload control which is (yes evil) flash based, but very nice and at least cross platform and not some evil activex control. It should be unnecessary for any site to be shoving activex controls down your throat to do decent file uploading.

Re:Because browsers have poor upload abilities

[AaronLawrence]

Well, exactly. Good quality file upload should be built into browsers. It shouldn't require any sort of add-on. Whether Flash or ActiveX.

Good

No one deserves it more..

ActiveX

[PseudoLogic]

from the FTA: Buffer overflows that enabled hackers to exploit the Aurigma ActiveX image uploading software used by social networking sites were at the heart of the assault.

<plumber>Well that's your problem right there!</plumber>

Hack Away

[korekrash]

Generic Social Networking sites are the online extension of the high school popularity game. If you want to join a social neworking site, pick one that you have in common with. Otherwise it's just muscles and boobs.... I, for one, applaud their use of activex. The more people who have problems, the quicker these sites will lose popularity..... Send an email to MySpace and Facebook telling them you love their use of ActiveX, how much it makes everything easier and that you would like them to use it more!!

Rain is wet...

[bandmassa]

...and other headlines, dog bites man, police arrest thief. Is this news?