MySpace users be advised: Websense Security Labs has issued a warning about a security flaw in embedded Apple QuickTime players that could allow hackers not only to steal login information, but also to propagate the worm as users watch infected video.
The phishing scheme targets JavaScript support in QuickTime coupled with a MySpace vulnerability to replace legitimate links with links to pages that look eerily similar to MySpace but are bogus. According to Websense, the worm is spreading rapidly.
“Once a user’s MySpace profile is infected by viewing a malicious embedded QuickTime video, that profile is modified in two ways,” the Websense alert stated. “The links in the user’s page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded in the user’s MySpace site. Any other users who visit this newly infected profile may have their own profile infected as well.”
The vulnerability was reported first on Nov. 16 via the Full Disclosure mailing list, which revealed how MySpace menus could be replaced with malicious code embedded in cascading style sheets. Real-world exploits began to show up within weeks.
An infected profile can be identified by the presence of an empty QuickTime video or modified links in the MySpace header section, or both, according to Websense.