Hijacking MySpace Pages

Adrants wrote about a certain MySpace profile (very unsafe for public viewing) that, when accessed, automatically loaded a porn-peddling page. Interesting, because MySpace doesn't allow Javascript on user pages, nor does it allow them to change meta tags to allow redirection. A quick look at the sourcecode of that MySpace page revealed that the redirect instructions were contained within an embedded invisible Flash file. If you are curious, look for the line *embed allowscriptaccess="never" src="http://extravidscodec.com/fla.swf"*. The most troubling part of it is that apparently you can embed the same file in the comments you leave on the profiles of others, and these comments show up on the main profile pages. If it's true, then redirecting a popular brand profile anywhere would be a matter of seconds.

I have two accounts on MySpace, one primary and one for testing purposes. I tried to post a comment with the embedded redirecting Flash on my secondary profile and it seems it went through, but when the comment preview page came up, I got redirected to porn too fast to actually press the "post" button.

Update [July 11, 06]: "Users of MySpace who find a link to a video and press the Play button may have just agreed to install adware from 180solutions' Zango division. " (Security Pro News)

1 comment:

  1. To finish, you can disable your flash plugin. You don't need to have it working to post it.


I am moderating all comments to weed out spam (there's a lot of it). Comments are usually approved within a day.

Related Posts with Thumbnails