digg

Facebook Connect Join Digg About

MySpace Hacked Using Simple HTML Exploit

centernetworks.com It appears a new hack and exploit has appeared on MySpace - Alicia Keys profile is affected along with others. The hack and exploit is pretty simple but very "deadly". Basically a user puts a link to the infected ste with just a simple href tag (no script tag) using some css to position the element anywhere that an element doesn't already live.

Who dugg this? Made popular Nov 9, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

105 Comments

show profanity settings
expand all
  • bballbackus, on 11/14/2007, -8/+71Myspace sucks period. End of statement
  • chris9902, on 11/10/2007, -5/+511337 HTML H4X0RZ?
  • HorrorLemon, on 11/10/2007, -1/+27I'll go you one better, from the guy who found it last week: http://www.vitalsecurity.org/2007/11/myspace-band- ...
    the hack STILL WORKS and alicia keys stupid page has been HACKED AGAIN. how the hell can myspace claim theyve fixed this? jesus.
  • koweja, on 11/14/2007, -1/+26Holy *****! Someone better fix this before hackers mess up myspace profiles so badly that they end up conforming to usability standards.
  • MikeonTV, on 11/12/2007, -3/+27Your telling me that Myspace uses archaic scripting? Really?
  • Afronautica, on 11/12/2007, -2/+25Now if only MySpace could fix that "bug" that causes me to break out into an epileptic seizure when ever I visit a profile page!
  • Ajajadude, on 11/10/2007, -2/+23Well, that's kind of disgusting, not to mention unsanitary.
  • abandonedhero, on 11/12/2007, -0/+20I mentioned the flaw (that it only masks the website's identity) in the MSPLinks to Tom, and he promptly told me I was an idiot. I'm CS major, and he proceeded to attempt to mock me about it.
    Screenshot here: http://img127.imageshack.us/my.php?image=picture1m ...

    Tom's an idiot, and the team they have running/developing the site does a terrible job.
  • expert01, on 11/12/2007, -2/+17This is NOT hacking myspace! This is placing a link to a website with malware. How can people be so stupid?
  • aquafinality, on 11/10/2007, -12/+26This is really weird, because this story has already been covered here on the 31st of october: http://www.pcworld.com/article/id,139137-c,hackers ...
    heres the writeup by the people who actually found this originally: http://blog.spywareguide.com/2007/10/bandjammer_ha ...

    Whats even MORE interesting is the guy who this article links to puts a real lame "oh btw this guy found it at the same time or maybe even earlier BUT ANYWAY..." in a follow up blog, but *not* the main entry.
    http://explabs.blogspot.com/2007/11/ok-now-this-is ...
  • inactive, on 11/13/2007, -13/+26im so sick of you mac fanboys
    who are you impressing with your overpriced fake unix POS's
  • stevo101, on 11/10/2007, -0/+11the guy who discovered this originally isn't too pleased http://www.vitalsecurity.org/2007/11/spot-differen ...
  • inactive, on 11/10/2007, -1/+12I'm more surprised that someone who uses myspace actually knows some real html code. Even if its just how to create a basic link.
  • TaintedWisdom, on 11/13/2007, -0/+10No, they just use it to find 13 year old girls!
  • inactive, on 11/10/2007, -0/+9hate to break it to you, but there is no 'href' tag - I think you mean the 'anchor' tag.
  • blackmage439, on 11/10/2007, -1/+9Except for the fact that NONE of those links work...

    Fail.
  • DeathfireD, on 11/10/2007, -3/+11how is this new? Its been around since Myspace was made. In fact a few wide spread viruses where spread by people managing to steal some passwords to accounts and then adding their own menu over the original menu on the top of the page using a div. Then when someone clicked on any of the new menu urls they where sent to a phish site.

    I'm no hacker but I used this to get ride of all the useless urls and ads on the top of the page. I put a nice div with my own urls in to point people to site I visit everyday :P.
  • Unlgued, on 11/10/2007, -0/+7wtf is a myspace?
  • Matteos, on 11/10/2007, -2/+9Just to finish this thread off nicely and to save some time...

    So you're gay?
    ---He uses Facebook too... i.e. gay and educated.

    im so sick of you mac fanboys
    who are you impressing with your overpriced fake unix POS's

    Aren't you special

    Glad you're retarded and use a POS.
  • rickyx2001, on 11/10/2007, -0/+6They have fixed this -- try to add a comment that contains an A tag with a style attribute, then view source on the confirm-comment page -- myspace now replaces: style= with two dots. Problem solved. An HTML validator would disagree, but then again so would it with the rest of the site.
  • Anteros, on 11/10/2007, -1/+7The main question is how the link got there in the first place, it didn't come from the user comments
  • orthodoxDrew, on 11/12/2007, -0/+6he's as professional sounding as his website looks.
  • ThreeDee912, on 11/10/2007, -0/+5Basic example showing the difference between stupid and smart computer users. Don't just randomly type your passwords into a random page looking like myspace/paypal/bank/whatever page. 99% of MySpace's users are morons.
  • zzz@tkz, on 11/10/2007, -1/+6That's no seizure, it's the blink tag.
  • fr34k5h0w, on 11/12/2007, -2/+6Hey don't talk about my friend like that!
  • Ajajadude, on 11/10/2007, -0/+4You could never tell from the stability issues that site is constantly having!
  • MrMacMan, on 11/10/2007, -3/+7an easy way to get flamed is to say stereotypical things like this...
  • knetworx, on 11/10/2007, -0/+4Now THAT would be a story!
  • sexybobo, on 11/09/2007, -1/+5that is because a large percent of my space users are 100 years old.
  • Subterfug, on 11/10/2007, -0/+4I love how the ***** in the video on that page tries to make you feel insecure about going to myspace without their bollocks POS software "LinkScanner."
  • flameboy, on 11/10/2007, -0/+3MSPLinks is not simply just a method to prevent hack sites from saying active (there are tons of loops holes hackers use, months after the msplinks launch. It also serves to be an easy censorship mechanism when Myspace decides its time to start blocking competitors sites (AGAIN) or any site Fox News deems dangerous for young-teen consumption.
  • stevo101, on 11/10/2007, -2/+5youre missing the point, its not that he found that people are overlaying pages using Divs - I'd have thought that was rather obvious. He's legitimately annoyed because

    1) he worked out over a week ago that someone was systematically targeting band pages - NOT normal users, but band pages - to quicken the spread of the malware. this is interesting, and not the usual "random band gets caught by a phish".

    2) youre saying its okay, then, for you to do whatever it might be you do in the course of your work, have it documented and credited - and then someone comes along a week or two later and just lifts it wholesale with no attribution of the initial find?

    nah.
  • uberamd, on 11/10/2007, -0/+3Facebook: 1
    MySpace: 0
  • Chirp08, on 11/09/2007, -1/+4don't own a mirror eh?
  • trollick, on 11/10/2007, -5/+8Aren't you special
  • xkrwlng, on 11/10/2007, -0/+3anybody dumb enough to use myspace AND IE, deserve what they get.
  • Stonekeeper, on 11/11/2007, -0/+3A great overview of the exploit:
    http://www.youtube.com/watch?v=_VipylmHnII
  • knetworx, on 11/09/2007, -0/+3And the links still don't work. Digg truncates them at a certain length (looks like somewhere around 48). Use tinyurl if you're going to try to post long links.
  • knetworx, on 11/10/2007, -2/+4Exactly. Let me know when somebody comes up with a hack to make MySpace usable *Then* I'll consider it Digg-worthy.
  • DigTheDoug, on 11/12/2007, -2/+4That's awfully redundant.
  • stevo101, on 11/10/2007, -2/+4by the way, you missed the part (in both the original piece from PC World) and on his numerous blog entries where he contacted myspace repeatedly and was ignored.
  • tomtux, on 11/12/2007, -0/+2an easy way to get flamed is to say stereotypical things like this...
  • aus10js86, on 11/10/2007, -0/+2Nice idea for dealing with the adds. I will have to try that
  • Daniel15, on 11/10/2007, -0/+2"That's not a bug, that's a feature"
    Or so they'd say. :P
  • abandonedhero, on 11/10/2007, -0/+2The people burying you don't quite understand the reference, but I dugg you up because I caught it.
  • boiboi, on 11/10/2007, -0/+2Funny how some idiots think it's because of IE. lol
  • inactive, on 08/11/2008, -0/+1Yep.
  • DeathfireD, on 11/10/2007, -3/+4he sounds like a cry baby. This problem is very old and hasn't been fixed because myspace owners though their whole "lets change urls into myspace short urls" would solve the problem. However that idea only hides the real addresses and causes more people to get infected without them knowing since they cant see where the url is going to take them. This guy shouldn't have gone through all the trouble he did to help people, he should have simply e-mailed myspace and told them the problem that they already knew about and point out all the pages that he found that where hacked.
  • inactive, on 11/09/2007, -0/+1Aww, I knew Mice Pace was still immature.
  • Fetching more discussions...
    Show 51 - 100 of 106 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.