digg

Join DiggAbout

The Digg Crew wants to hear your thoughts!
Please take our short survey about Digg and potential feature ideas.

MySpace blames Apple for hacked accounts - actually a MySpace flaw

tuaw.com — A Quicktime movie that made the rounds last week, which altered user profiles and changing links on their pages to redirect to phishing websites. In fact it was a flaw of MySpace in combination with a legit feature of QuickTime that caused all the damage.

show profanity settings
expand all
  • tnwake, on 10/12/2007, -88/+23Yeah nothing is ever Apple's fault. I'd like to hear what exactly this "flaw" on myspace was and how it's any different from the flaw in Quicktime.
    • plarp, on 10/12/2007, -13/+78blame canada
    • mcstewart37, on 10/12/2007, -5/+24http://www.apple.com/quicktime/tutorials/hreftracks.html
    • KrocCamen, on 10/12/2007, -21/+87Apple actually do a rather good job with security, MySpace hasn't, doesn't, and won't.
    • JeffH, on 10/12/2007, -25/+48Exactly. There's been lots of exploitable, major flaws in Quicktime over the past year, so why should I believe that Quicktime wasn't the problem?

      Though I don't really care whose fault it is as long as MySpace dies a painful death via pissing all of it's users off.
    • khag7, on 10/12/2007, -29/+13that is the stupidest feature. most definitely apple's fault, but myspace shouldn't have allowed quicktime movies if they were so unsecured. i never realized that this feature existed. definitely not a fan of quicktime anymore (not that i ever really was)
    • InsomniaSlim, on 10/12/2007, -8/+52MySpace lies CONSTANTLY about problems in its systems.

      Whenever a bulletin gets posted "without the user's knowledge," they claim their password was stolen and their account was "hacked." In reality, there is no form post security, or even a captcha, to confirm a bulletin before post... So when they click a link in a bulletin, it just posts a form to the right URL and the bulletin gets posted.

      MySpace is the place for spam... and I think they might be turning a blind eye to it for two reasons: 1. It would take effort on their part and 2. They were invented by spammers, so they may be allowing it to "partners."

      MySpace is full of lies... I'm getting tired of them misinforming people b/c of their own inadequacies.
    • skyshock21, on 10/12/2007, -4/+10Samy is my Hero.

      http://namb.la/popular/tech.html
    • brlittle, on 10/12/2007, -24/+26Too right.

      I mean, MySpace has been totally honest and forthcoming about every issue with their service. Apple, on the other hand, is nothing but a bunch of security halfwits who never update their software or patch anything to repair problems.

      I think my irony filter just overloaded. Jeebus.

      @JeffH

      C'mon, admit it. You only hang around Digg so you can piss down Apple's leg at every chance, right?
    • skyshock21, on 10/12/2007, -33/+13"This MOV file takes advantage of the QuickTime feature that enables MOV files to contain executable JavaScript functions."

      Why on earth would Apple need embedded javascript functionality for a movie format?!?! I'm never using quicktime ever again. What a fat bag of donkey crap.
    • austindkelly, on 10/12/2007, -10/+19I agree that for some reason Apple is never to blame, but its MySpace, I mean come on, its the worst website on the internets!
    • freff, on 10/12/2007, -21/+15FTA: "The movie...actually capitalized on a MySpace flaw and QuickTime's legitimate support for JavaScript"

      QuickTime's legitimate support for JavaScript? Gotta throw the BS flag there.

      On the other hand, I completely agree with JeffH's hope for myspace's future.
    • threepio, on 10/12/2007, -10/+35Quicktime is used in kiosks wherein executable Javascript makes a standalone, non-interactive video into an interactive display. Simply put, it adds the user into the equation for applications like this. We use it here and it's handy, not to mention incredibly lightweight.

      So double dumbass on you, friend. Mayhaps a little ***** research would get you farther in the future, as opposed to just hollaring ***** and shooting your mouth off on topics where you clearly come to the discussion unequipped to add anything of value.
    • toast1226, on 10/12/2007, -5/+20yet another reason not to use myspace
    • webwormx, on 10/12/2007, -14/+19"it was a flaw of MySpace in combination with a legit feature of QuickTime that caused all the damage"

      That quote is just stupid speculation from an author that doesn't know what he's talking about.

      This is the exact same thing that happened with Flash 8 (And lower) getURL function that could be used by malicious movies to execute code with permissions on the domain they were hosted on. This was fixed in Flash 9 (using the allowscriptaccess="never" property) right after someone was able to demonstrate it on myspace. Because of this, myspace was forced to make all of it's users update to Flash 9.

      This is 100% Apple's fault for not following in the steps of Adobe and fixing what appears to be the exact same problem -- Applets running on a domain should not assume the webmaster wants them to have script access (Through getURL) on the domain.

      Sure, MySpace could disable Quicktime movies, they can then also disable Flash, then they might as well disable CSS (Although the inadequate CSS filtering leading to the Samy worm WAS their fault), then they should disable images (Wouldn't want another jpeg exploit). Aww hell, they should just shut down their site.
    • thespace, on 10/12/2007, -4/+10@webwormx - Apple's fault for not following Adobe? lol, maybe its not a fault at all on anyone's part. MySpace is just a huge experiment and testing the security of all kinds of plugins and scripts. No one is at fault in this.
    • thespace, on 10/12/2007, -8/+9-- digg down, mistake
    • andyduncan, on 10/12/2007, -4/+10@webwormex et al: if you read the linked, linked, linked page announcing the vulnerability (here: http://seclists.org/fulldisclosure/2006/Nov/0275.html) , you'd see that this IS in fact a myspace vulnerability (the ability for a user submit code that can alter the navigation links on their own header, links like 'login'). Someone is using a legitimate (although admittedly obscure) feature of quicktime to take advantage of the vulnerability, but quicktime is not the only potential vector. And it's not quite the same thing as the flash vulnerability.
    • tnwake, on 10/12/2007, -4/+2My point was that the article failed to explain what the flaw was and why it was solely a myspace flaw. I'm not a myspace fanboi, I just prefer not to bash something without just cause and this article did not provide just cause.
    • webwormx, on 10/12/2007, -2/+5@andyduncan

      All that advisory says is that users are able to replace navigational elements on their profile with spoofed links.

      Well......duh. That's the price myspace pays for allowing CSS. Yes, they could block CSS, but then they'd be taking away what appeals most to their users -- Customization.

      But anyway, that advisory is rather stupid anyway. Even if myspace DID block css, people could still add links to their profile that tricked visitors to go to a malicious page.

      This is what really bothers me about disclosure lists. They're full of so much stupid junk written by amateurs who want internet points that the real problems get burried.

      ----

      Regardless, this Quicktime issue is unrelated to whether myspace allows CSS or not. Heck, even if myspace got rid of CSS, the quicktime bug could be used by a malicious applet to write whatever it wanted to the page (Through document.write, or innerHTML).

      ----

      Now I've thought about my previous comment. In a way, yes, MySpace is to blame. But only because they didn't block quicktime movies from being put on profiles the second they found out about this issue.

      In reality, any website that allows users to upload quicktime files could have been hit. MySpace was the primary target simply because of their size. NOT because they didn't code their website correctly.
  • falloutsyndrome, on 10/12/2007, -20/+7I noticed the quick time loading every time I viewed a page. I thought it curious but of no concern to me, no spam on my account or being posted. Blame Apple, it just works.
    • bias, on 10/12/2007, -14/+4you fxxking apple fanboys please stop saying "it just works." like everything doesn't works except stuff that created by your lover steve jobs.
  • jugglingjon, on 10/12/2007, -26/+18I've had problems with quicktime .mov files trying to hijack my browser in the past, I think it's just a weak format, and try to avoid them when I can.
    • pixelfox, on 10/12/2007, -11/+32Wha??? Quicktime hijacking your browser? How the ***** do you manage that?
    • DollaDollaBill, on 10/12/2007, -33/+18quicktime has and always will be a piece of *****.

      / ducks to avoid fanboys throwing old broken ipods at head
    • chedabob, on 10/12/2007, -13/+9Quicktime > WMV

      I like quicktime cos of its decent HD playback. Thats about it. I hate the fact that its bundled with Itunes now.

      Quicktime Alternative FTW.
    • mikesbaker, on 10/12/2007, -7/+7@pixelfox
      by it running java script in the back ground is how
    • naio21, on 10/12/2007, -10/+2@DollaDollaBill: ROFLCOPTER!!!1!one!
  • foobar5892, on 10/12/2007, -6/+3VOIDH. Literally.
  • paulmdx, on 10/12/2007, -10/+22According to the CNET article (linked from article above):

    "The rigged QuickTime movie includes some JavaScript code that will be run automatically"

    Personally I question that being a "legit" feature...
    • JeffH, on 10/12/2007, -3/+17Quicktime allowing scripting has been "legit" for ages now. It's useful in some cases, but I don't recall the last time I have ever seen it been used for something good.
    • chedabob, on 10/12/2007, -9/+10Its a useful feature, its Myspace's fault for allowing javascript to be run.
    • TiMMY8765, on 10/12/2007, -6/+19it's just as legit as .wmf files being able to run some code when opened
    • mikesbaker, on 10/12/2007, -8/+7every one keeps saying it is a useful feature. HOW?
      what possible purpose could a QT movie have to run java script except to make you see an AD or run malicious code?
    • Rivetgeek, on 10/12/2007, -7/+8@chedabob

      "its Myspace's fault for allowing javascript to be run"

      Newsflash sparky, javascript is interpreted on the client side, not the server side. Thanks for playing though.
    • bias, on 10/12/2007, -11/+5lol, nice spinning...
      if Apple allows javascript to run they are "legit".
      if MySpace allows javascript to run it's their fault.
  • ChaseLudwick, on 10/12/2007, -17/+8i wonder who the digg users will side with apple or myspace. haha
    • techpimp, on 10/12/2007, -15/+19Gee it's kind of obvious. This is on the front page and it's under the Apple section. I agree with everyone else, myspace IS a flaw.
  • bmartin, on 10/12/2007, -40/+16How come everything Apple comes out with is crap? The iPod seems to have a myriad of problems, the computers are too expensive... the only thing they have going for them is the Mac OS... and you can't use it on a PC, so what good is it? It already runs on an Intel processor... and they've switched from little to big endian, so why not let people who prefer OSX run it on their PCs? It's an untapped market.
    • BillGod, on 10/12/2007, -3/+16The problem with letting people run OSX on pc's is that Apple looses control over the hardware. They would have to support a thousand different motherboards and million different configurations. With that you then suffer from driver issues and all kinds of other things. Then you become unstable and end up with a rep like MS.

      Just my 2 cents.
    • ThatBlokeRob, on 10/12/2007, -8/+13"too expensive" - Compare some prices (Dell vs Apple), you'll be surprised. I was.
    • UltimaNut, on 10/12/2007, -7/+13"The iPod seems to have a myriad of problems, "

      Ive had one of every generation of full size iPods with zero problems.


      "the computers are too expensive"

      Educate yourself. In a hardware to hardware comparison they actually cost lower then similar or equal systems


      " It's an untapped market."

      You are an idiot. If they let did this their hardware sales would shrink.
    • thespace, on 10/12/2007, -5/+8you're drinking way too much of the M$ koolaid dude
    • WiZZLa, on 10/12/2007, -9/+4"Educate yourself. In a hardware to hardware comparison they actually cost lower then similar or equal systems"

      Do you have any examples in a true hardware to hardware comparison where they cost less?
    • Gottschalk, on 10/12/2007, -9/+5@BillGod

      So if we all drink Apple's koolaid they will have a monopoly on software and hardware.

      Hmm... makes Microsoft look utopian in comparison.
  • chedabob, on 10/12/2007, -10/+17Blame myspace. Not only do they allow javascript, their staff are so lazy. I rarely ever go on myspace, cos I can't even read my message(s) without getting tonnes of errors.
    • Rivetgeek, on 10/12/2007, -3/+9They don't allow javascript, but they can't control what is embedded in a quicktime file. Javascript is executed locally on your client not on the server. Before this there was flash hacks that used actionscripting to redirect the page and myspace complained to adobe and had the new version of flash come with a server side option to disallow actionscript redirects, which they now do.
    • lhnz, on 10/12/2007, -2/+5What are you talking about?! Myspace don't allow javascript!
  • SoundJudgment, on 10/12/2007, -22/+11I can't un-install Quick-Time off of my hard-drive quickly enough whenever it gets stuck on somehow. Now I have yet another valid reason to continue doing so. Thanks, MySpace!
  • SirBotchness, on 10/12/2007, -11/+6Hmm a blog off of an apple blog website, who are they going to side with here? Regardless if it is a feature or not, it is being exploited to attack myspace specifically. The simple fix here is to not visit myspace.
  • Roflman, on 10/12/2007, -10/+1Let's just all go to Tagworld!!
  • EXreaction, on 10/12/2007, -8/+10He/she sorta contradicts their entire article in this sentence.

    "Apple is reportedly working on a fix, but for now the two companies have ironed out some workarounds, such as blocking all the phishing URLs and scrubbing their network for compromised profiles."

    If that is what is going on Apple already noticed it was a bug on their end and are fixing it.

    I BURY BLOGSPAM!
    • thespace, on 10/12/2007, -7/+4Of course its a myspace flaw, Apple has to rework the problem just for myspace. Do you hear of anyone else having this problem? Apple is probably just going to disable the feature for any myspace.com requests.
  • greymarketbrain, on 10/12/2007, -5/+8who cares what happens on/with myspace? It's like the nascar mentality of the net. And take about as much intelligence to use it as it does to watch stock car racing.
  • haiduz, on 10/12/2007, -21/+14**************************************************************************************
    Leave it to the unofficial apple blog (read apple fanboys) to blame myspace and not apple for a security flaw.

    Dugg down as biased
    **************************************************************************************
    • freff, on 10/12/2007, -11/+8You're getting dug down, but that's exactly what we have going on here.
    • haiduz, on 10/12/2007, -1/+3@freff

      Im glad you that at least you can see it. These apple fan boys cant handle the truth if it against apple in anywayThey remind me of the those Scientologists who try to censor those who speak out against them :)
  • HungryMedia, on 10/12/2007, -3/+14I thought Windows Media had this same "feature" ... no?
    • wild, on 10/12/2007, -3/+7No one wants to talk about that.
    • finkployd, on 10/12/2007, -2/+6Shhh.

      People don't like to talk about it because it's usually embedded in the porn they download off of Kazaa.
  • nstern2, on 10/12/2007, -5/+16Heres a pertinent solution. Don't use MySpace!
    • RoloTomasie, on 10/12/2007, -3/+7That sounds like the PERFECT plan.
  • mikesbaker, on 10/12/2007, -10/+5Lets see this guys is saying that the problem is that my space allows you to post video right? And at no point does the CNET article referenced say my space flaw. Apple is ruining technology for the morons. They should spend less money hiring celebs like Bono to push their ***** product and more time making a better product.
    Bury this spam please.
  • uownedge, on 10/12/2007, -6/+15Ladies and gentlemen, I have found the solution.

    Behold:

    Don't use MySpace.

    • omarciddo, on 10/12/2007, -5/+5I'm with uownedge.

      Myspace serves little to no purpose, except for bands perhaps.
    • jl24, on 10/12/2007, -5/+5I'd agree with you there
    • uownedge, on 10/12/2007, -4/+3Well...when MySpace started, it was a good thing. Great way for bands to get their name out there without having to pay for hosting, site design, and upkeep. The problem is, there's little to no moderation, and now it has become a festering pile of suck. In the end, it's really no longer good for bands. The site has a bad name, and a lot of people just plain stay away from it. It's really pretty sad, if you think about, but if you ask me, the staff has really just lost sight of what the site should be about. Probably due to all of the money rolling in from advertisers.

      Regardless, it's just sad. :/
    • avihappy, on 10/12/2007, -2/+2WTF Their site "design" looks like horse *****!
  • general13, on 10/12/2007, -6/+2I heard MySpace IS the Internet.

    Or is it Teh Web?

    I get so confused...
  • lordTalus, on 10/12/2007, -2/+5Someone accept the blame and move the frack on. IT security concerns are prevalent...period. It's not a red headed step child, it's a fact of of life...or whatevs. Some jack ass is going to write some code that another jackass is going to exploit...so another jackass can fix it. It's the circle of life...

    Passing blame is for whiny assholes.
  • teiren474, on 10/12/2007, -8/+5c.. everyone knows that it is quicktimes and thus APPLE's falt because the virus or what ever happened with qucktime wich is an APPLE prouduct. BUT because all of you people have your head up appls ass so much and love apple soo much and you beleve that apple can do no harm that you are to blind to se that quicktime sucks ass, it has flaws, it has secerity flaws. you see because no one knows about any viruses or security flaws in apples prouducts is because so few people use apple computers and there prouducts for vareouise reasons.
    • vegasmacguy, on 10/12/2007, -2/+5Wow!!! I don't even know where to begin. First of all this exploit could've been done in WMV as well as RealPlayer. Both have the ability to embed code and call hrefs from a video. Second this exploit only worked on MICROSOFT IE and FIREFOX. Third Myspace has no way to control what Javascript is running from a media file.

      While I don't agree that this is 100% Myspace's fault, I don't believe it is at all Apple's fault. This is a flaw in the structure of Myspace. Myspace allows users to post videos and embed flash and many other kinds of media. They also allow the use of HTML/CSS. However, they DO NOT allow javascript on their page. The only ways myspace could lock down every thing that gets posted is to disallow all linking and embedding and host the content on their servers so they can convert and clean the content of any malicious code, or scan every file that comes across in an EMBED tag for possible exploits. Maybe they were a little remiss in not doing either of those things, but what site does?

      As for your idiotic remarks. Apple does have its flaws and security holes. This isn't one of them, and to date I have not heard of one being exploited before Apple released a patch. If you want to spout off about a company not taking security seriously you might want to look no further than your own desktop.

      As for Quicktime sucking, once again you Windows fanboys don't actually use a product before saying it sucks. Give me some reasons and some backup as to why Quicktime sucks. Is it slow? Does it not handle large files? Does it drop frames like Windows Media Player? Is it unstable? I use Quicktime on a regular basis as I am a video editor. I find that quicktime is faster than the preview in my NLE software. I also find that it runs quickly, smoothly, doesn't drop frames and the video quality is the best of all the free players.

      I know you won't respond because you're only on here to troll and piss people off. I hope you realize though that you're wasting your time on your little anti-Apple crusade and that nobody really listens to you or respects your opinion.
  • thespace, on 10/12/2007, -4/+2rotflmao, hack only works in ie and firefox on windows, who's really at fault?!??!?!
    • Gottschalk, on 10/12/2007, -1/+2Apparently if something, no matter how false, is said enough times people will believe it.
    • teiren474, on 10/12/2007, -5/+1but you are still using quicktime to play it. so yes firefox and ie are somewhat to blane but because they are so widely used people who make these hacks are going to make it for ie and firefox because why would you spend the time making hacks, bugs etc for safari and.or osx and reolize o wait.... only 5% of everyone who uses computers will get this....
    • pyrates, on 10/12/2007, -3/+3The "flaw" also works on any java script enabled browser so that includes safari too. You gonna say it has to do with just windows now?

      This is the main reason why apple fan boys piss me off. They are so incredibly biased, that they'd let apple smack them and say that they ran into apple's fist rather then admit apple did something wrong. Explain that now.
    • shmatt, on 10/12/2007, -1/+1RTFA, my man, it specifically said the Mac users weren't affected. Maybe you should stop worrying about what other people like, and use what you like, while shutting the F up.
  • zioxide, on 10/12/2007, -3/+6lmao

    myspace is the most poorly coded website on the internet.
  • VTmruhlin, on 10/12/2007, -3/+4"Legit features" are not inherently secure. My understanding is that Quicktime allows code to be executed from a *.mov, which installs crap on the victim's machine. This should not be happening.
    This is like saying the WMF vulnerability a while back was a legitimate feature. Even though it was intended as a feature, it was a stupid idea so it got patched.
    • avihappy, on 10/12/2007, -1/+1CAN it install things? Someone tell me.
  • cyberscape2, on 10/12/2007, -3/+2Nobody ***** cares.
  • Fidodo, on 10/12/2007, -4/+1It seems like it's simply a flaw of myspace and apple. Does it really hurt THAT bad to imagine that apple could possible have some kind of security flaw? If I were apple, I would make javascript support off by default and require a parameter set to allow it.
  • geekee, on 10/12/2007, -2/+4It seems to me Apple should prompt you before executing code from a movie off of the internet. Some feature.
  • rykachik, on 10/12/2007, -3/+4"Quicktime is used in kiosks wherein executable Javascript makes a standalone, non-interactive video into an interactive display. Simply put, it adds the user into the equation for applications like this. We use it here and it's handy, not to mention incredibly lightweight.

    So double dumbass on you, friend. Mayhaps a little ***** research would get you farther in the future, as opposed to just hollaring ***** and shooting your mouth off on topics where you clearly come to the discussion unequipped to add anything of value."

    QFT

    Every single one of you ***** ***** tards should read this. It is a useful feature fnot only for video but also panoramic images, it allows hotspots and links and user interactivity. It is not a flaw in any way shape of form. Saying this is a flaw is like saying adobe is at fault for every single annoying flash banner w/sound.

    • SirBotchness, on 10/12/2007, -1/+2Other than the fact it is being exploited. And boy, you defend it like you own it. doesn't matter if it is a feature, it matters that it is being exploited. Get over it, it has nothing to do with you, you don't program it, so get off your high horse.
  • shadyk8o, on 10/12/2007, -2/+2Myspace is never at fault! Always blame the other guy... there new motto?
    • diggaiden, on 10/12/2007, -0/+1Hmm, this sounds familiar...remember this "apology" from our favorite fruit company?

      "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it"

      substitute Windows with Quicktime and viruses with exploits, and you could almost imagine MySpace making this statement:

      "As you might imagine, we are upset at Quicktime for not being more hardy against such exploits, and even more upset with ourselves for not catching it"

      Yeah, MySpace didn't *actually* make this statement, but it's kinda implied, isn't it?
  • furatail, on 10/12/2007, -1/+1Apple failed hard with Quicktime. I consider it a nuisance on the internet. Open a random quicktime movie and a barrage of spam follows. Surely they have more sense than that to allow any link to automatically open upon launching quicktime.
    Here's an idea for myspace, block the quicktime format until Apple fixes it.
  • haiduz, on 10/12/2007, -1/+3and another thing...


    Why doesnt quicktime have full screen video?!?!

    I heard that the quicktime pro does but you have to pay 30 dollars for it.

    Can you imagine the outcry and hated if Windows Media Player 12 would have a premium version that pays full screen, the but the free version would not.

    ...when apple does it no one has any problems.

    1 more thing, Itunes is the least stable program on my comp, im sure that it runs perfectly on a mac but I also want to play FEAR and UT2k4 and UT2k7 with my ATI 1900 512 MB card.

    1 more thing, the Ipod is the greatest invention known to man. (I call em like I see em)
    • broomett, on 10/12/2007, -1/+1Wow. An MP3 player! Where WOULD mankind be with out it!
  • broomett, on 10/12/2007, -2/+1Yes, because TUAW would NEVER post ***** to defend Apple.

    Oh wait...that is ALL they do.

    Quicktimne was exploited. I don't care if it was an exploit that went through something that has a legitmate use. MOST hacks are done that way. Pretty much every IE security threat goes though holes in IE that aren't holes at all. They are there for a reason for a small number of peope who want it.

    Can't have it both ways apple fanboys. Apple ***** up here. Yes, MySpace sure helped it along with their crappy security as well, but o try to clear Apple of any blame just proves why TUAW will never be taken seriously as a source of information ever.
  • forchilli, on 10/12/2007, -2/+1haha myspace trying to get apple those idiots.
  • h0dg3s, on 10/12/2007, -0/+1Blogspam. I don't want to read a paragraph where every other word is a ***** link either.
  • h0dg3s, on 10/12/2007, -3/+1Why in the hell are people still using quicktime? It's always been grainy quality, even worse than realmedia formats. It's nowhere near the detail that divx/xvid/wmv/mpeg are at.
    • ogre2112, on 10/12/2007, -0/+2The quality has the ability to be great. Go to apple.com/trailers and watch a movie clip.

      Don't compress the movie all to hell, and the movie will look great, same as any other format.
  • vic2msn, on 10/12/2007, -0/+0people tend to do that http://www.myspacetool.info/
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.