Hackers Says Social Networking Websites Vulnerable

Hackers are increasingly focusing their attacks on social networking websites like MySpace.com. Cyber-criminals are demonstrating a couple of vulnerabilities they said could expose sensitive personal data for exploitation by online criminals.

The demonstration of the flaws was being performed at the Black Hat and Defcon conferences. Thousands of people gather at Las Vegas every year to attend the demonstrations of newly emerging exploits and to attend the training session.

While presenting at the Defcon computer security convention, Rick Deacon, who is a network administrator from Beachwood, Ohio, showed how a 'zero-day' flaw in MySpace could let intruders start commandeering Web pages of individual users and also insert malicious code. The MySpace flaw hasn't being fixed with a patch as yet, reported Associated Press on August 6, 2007.

The findings of the new flaw do not affect Microsoft's Internet Explorer but affects previous versions of Mozilla's Firefox Web browser, said Deacon. The attack happens by exploiting a so-called XSS (cross-site scripting) vulnerability. This type of vulnerability is common in Web applications, which can be used to inject code onto some other Web page.

It is not possible to independently verify the flaw. However, attacks using the flaw are a serious problem for social networking sites where it is difficult to monitor and control millions of postings every day.

According to Deacon, the success of the new flaw requires a user to click a link to a Web page where the attacker steals the PC's 'cookie' information. Deacon said after he identified the problem many months back, he had alerted MySpace but the site's company hadn't still found a patch for the problem.

Although MySpace and Facebook both fix vulnerabilities as they come across, but it is similar to a mound of sand, Deacon said. There are so many vulnerabilities out there with numerous more XSS flaws that it is difficult to identify them all, he added.

After Deacon completed his presentation, MySpace sent him an e-mail informing that his page would be removed as he had gone against the service terms. But after that, MySpace patched its new weakness.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 8/21/2007