digg

Facebook Connect Join Digg About

MySpace worm exploits Quicktime weakness to steal logins and plant spyware

blogs.guardian.co.uk F-Secure has spotted an outbreak of a Javascript exploit that uses flaws in Apple's Quicktime to grab MySpace profile data. It's not easy to explain, but it's a form of phishing: you visit what looks like a normal MySpace page, but the links have been altered to take you off-site (though that still looks like MySpace)

Who dugg this? Made popular Dec 5, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

101 Comments

show profanity settings
expand all
  • sockpuppets, on 10/12/2007, -8/+106Any worm that takes me off MySpace isn't half bad really.
  • pcgeek101, on 10/12/2007, -28/+76Apple software has flaws? Awww, I thought only Microsoft's did ... :-)
  • inactive, on 10/12/2007, -10/+52"Any worm that takes me off MySpace isn't half bad really"

    lmao, last time I checked Myspace was the worm
  • stephenv, on 10/12/2007, -2/+20Javascript controls have been a documented feature of QT since v3. MySpace should have been a lot less cavalier about allowing its users to play with HTML so much to begin with (seems there's a new MySpace exploit every 6 months or so now).

    http://gemma.apple.com/documentation/QuickTime/Conceptual/QTScripting_JavaScript/bQTScripting_JavaScri_Document/chapter_1000_section_1.html
  • Dog_Paddle, on 10/12/2007, -2/+20Phishing Myspaces is super easy. Really, most of the users don't care what it says in the URL at all. Just make a fake Myspace page that logs the email/password, send it to your friend and say something like, "Hey, check out this hot chick" or something like that. Bam, you got access to his Myspace, and probably a lot of other sites he uses too.
  • luistux, on 10/12/2007, -3/+18I think it is worth noting that the exploit is not a quicktime exploit. It uses a feature on quicktime to lead the user to another page that looks like myspace(WMP also has that feature).

    The user then logs into the fake website where the info it taken.

    The article linked is not very informative their link to the original article is a lot better with technical info and actual information on the exploit.
  • inactive, on 10/12/2007, -1/+15foobar: actually, that's the exact definition of phishing.
  • DucksofAnaheim, on 10/12/2007, -11/+25I hate Quicktime...it is ugly and despite what anyone says , on the Windows platform it has NO right-click functionality.I replaced it with VLC media player long ago. Being able to right-click greatly improves ones efficiency. The same clowns that made Quicksand must have made the buggy itunes software ?
  • Van3ck, on 10/12/2007, -0/+12Spywares on myspace? Who Knew?

    [CLICK FOR FREE SCAN]
  • gabebear, on 10/12/2007, -2/+13actually it doesn't look like a flaw/bug in any software

    http://www.f-secure.com/v-descs/js_quickspace_a.shtml explains how the attack is done.

    What is happening is someone has used the JavaScript functionality to make a fake myspace login screen appear in a Quicktime movie, that stupid MySpace users are logging into. This doesn't seem to be a problem with Quicktime, it's a problem with MySpace users....

    You can peek at the javascript at http://www.tm-group.co.uk/images/js.js
  • NinjaBoy, on 10/12/2007, -0/+9aww so hot_webcam_girls didn't really want to be my friend?
  • NinjaBoy, on 10/12/2007, -0/+9Free Xbox360 wants to be your friend.
  • inactive, on 10/12/2007, -0/+9"[CLICK FOR FREE SCAM]"

    *fixed*
  • eplawless, on 10/12/2007, -2/+9I would only ever trust a team that looks like that with computer security. That's how you can tell they're professionals.
  • inactive, on 10/12/2007, -2/+8They look pretty ordinary to me.
  • procdaddy, on 10/12/2007, -1/+7I don't think you guys get the point...the problem is not what player people use. It is the embedded .mov in some pages. :/
  • titlesaysitall, on 10/12/2007, -0/+5Hey dude I got a free iPod! CLICK HERE!
  • kylesellers, on 10/12/2007, -0/+5'Cuz I needed another reason not to go to MySpace.
  • dbr_onix, on 10/12/2007, -0/+5Why mess around with msconfig? There's an option in the Quicktime Preferences > Advanced Tab : An option to disable the Quicktime Tray icon (Which stops the quicktimetask)
    Anyway, that wont help the problem, since Quicktime will still be loaded as nessiary (Say, by MySpace worms..)
    - Ben
  • rephlektiv, on 10/12/2007, -0/+4In short:

    "An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window."

    http://www.apple.com/quicktime/tutorials/hreftracks.html
  • inactive, on 10/12/2007, -1/+5Start -> Control Panel -> Add / Remove Programs

    Uninstall Quicktime

    Reboot.

    There you go, the security hole has been fixed!
  • Kylde, on 10/12/2007, -2/+5lame, just start - run - msconfig, navigate to the startup tab, untick qttask.exe :) Dont mess with the registry when you don't have to
  • inactive, on 10/12/2007, -4/+7@foobar5892

    Not so. You can have a very stupid user base that's completely immune to these attacks if they're sufficiently paranoid.

    Just look at Linux users. Dumb enough to use an inferior, unstable kludge hacked together from stolen code, but paranoid enough to avoid most phishing attacks.
  • lonemarauder, on 10/12/2007, -0/+3"though that still looks like MySpace"

    That is comedy.
  • inactive, on 10/12/2007, -0/+3sorry for the Ebonics
  • SirBotchness, on 10/12/2007, -5/+8Thats what happens when people actually start using apple software, then the hackers start to target those applications too. Welcome to the internet apple fans.
  • inactive, on 10/12/2007, -0/+3msconfig used to word with me, but not with Updated Quicktime (at bootup ) or what ever it is :)
  • dbr_onix, on 10/12/2007, -0/+3The javascript is embeded in a Quicktime file, and NoScript wont prevent JS being run in Quicktime. Not sure if NoScript blocks Quicktime Files, so that might help.
    But anyway, I really doubt most people using MySpace will know to install NoScript (or even be using anything other than their OS's default browser..)
    - Ben
  • piddlespank, on 10/12/2007, -1/+4many thanks, but we've been here a while.
  • SCMacUser, on 10/12/2007, -0/+2Oh god. Someone just invoked Facebook.

    Like Facebook is SO much more mature and better than myspace.

    Kettle? Meet Pot.
  • Pile, on 10/12/2007, -0/+2Every time you run quicktime, that virus will try to re-install the qttask program.

    I second the notion of completely un-installing Quicktime in the first place.

    After that, get a copy of Startup Control Panel and Startup Monitor, so the next time one of these programs tries to auto-startup, you can nip that in the bud.
  • Steel_Blue, on 10/12/2007, -0/+2yay!
  • Kaglan, on 10/12/2007, -0/+2There's a great program called "Autoruns," published by sysinternals.com (now owned by microsoft) that lets you disable the qt and itunes tasks and also ipod helper (which seems to run whether or not you have ever used an ipod). You're right, though, if you ever upgrade, it will be installed again.

    I used to be a big quicktime fan because it didn't seem to take over your system as much as realplayer or windows media player did, but a) I was using a mac at the time, and b) things have somewhat changed. I am a big itunes fan, though, and that means living with quicktime.
  • dbr_onix, on 10/12/2007, -0/+2A valid question.. It's not a bug in the code (Yes, "It's a feature"), so technically it should affect Quicktime Alternative too, since it (should) impliment the embeded Javascript stuff.
    Not sure wether or not QA impliments the "enhanced media" stuff (Like the clickable-links in MOV files that some podcasts like Macbreak use)
    - Ben
  • ZackS, on 10/12/2007, -1/+3The thing that's funny is that you wanted to bash Apple so badly that you forgot to figure out what is actually going on here.

    This exploit works by using IE to install spyware and then having Quicktime call a Javascript that changes the user's MySpace profile. Not only is this not Apple's fault, but it also only works on Windows, the spyware is installed due to flaws in Microsoft's software, not Apple's, and it could have been carried out in any number of different ways using Flash or any other plugin allowed to call Javascript.

    Whose fault is it really though? I'd say the fault belongs with the user, for not keeping things updated and clicking on sketchy links without looking, with MySpace, for allowing way too much HTML customization and file embedding on their pages, and a bit with Microsoft for allowing IE to have the security flaw used by the spyware in the first place.
  • rephlektiv, on 10/12/2007, -2/+4FYI - noscript for firefox is a simple and elegant solution. wait, so is uninstalling quicktime. har har.

    http://www.noscript.net/whats

    "NoScript provides extra protection for your Mozilla/Firefox or Flock browser: this extension allows JavaScript and Java execution only for trusted domains of your choice (e.g. your home-banking web site). "
  • inactive, on 10/12/2007, -2/+4@TheReport

    It took me a minute to figure out what your beef was.

    Then I realized why you didn't like them.

    Clearly, there are too many Asians in the group for your racist ass.

    By the Way, the 1950's called, and it wants its racial stereotypes back. It says you've been borrowing them for far too long.
  • djdole, on 10/12/2007, -0/+2MySpace pages feels way too much like the home HTML boom of the 90's where everyone and their grandma were creating horribly designed home-pages with animated GIFs, banner text, blink text etc, only now with streaming media via YouTube and the like.

    Now I'm GLAD I never jumped on the MySpace bandwagon with everyone else.
  • challahc, on 10/12/2007, -1/+3Is that a fanny pack?!
  • inactive, on 10/12/2007, -2/+3@anmol2k4

    I love bashing apple as much as the next guy, but your post was:

    Poorly Written

    Recycled a Joke used at the top of the thread.

    Rambling and without structure.

    Revealed a depressing and somewhat pathetic lack of verbal and writing skills.

    Is the same damn joke used EVERY time an Apple related security hole is found.

    Suffered from a complete and total lack of originality.

    Was probably copied and pasted from another Apple thread.
  • Aliarse, on 10/12/2007, -2/+3Simple solution.

    Dont use myspace.
  • inactive, on 10/12/2007, -0/+1"@TheReport -- Omg, you're so original -- I've never heard that one before! You want to make fun of Vista too, whilst these things are the height of their popularity? No? You sure?"

    Umm dude, go visit a Therapist... you ***** *****
  • akan, on 10/12/2007, -0/+1are you kidding me? this is JUST being patched? this has been going on for YEARS. finally someone picked up the pace a little *rolls eyes*.
  • sparkmonkeyz, on 10/12/2007, -0/+1this has happened to me, I clicked on a link, it took a screen of my page from my internet cache, then posted it, when I looked at the address bar, it was in no way myspace.com
  • 23pixels, on 10/12/2007, -1/+2Myspace has so many problems yet people still connect to it. I bet as some of you guys read this, you're logged into it right now watching some vids.
  • OrangeTide, on 10/12/2007, -0/+1what use is a moron's internet accounts?
  • DucksofAnaheim, on 10/12/2007, -0/+1RDF is the idea that Steve Jobs is able to convince people to believe almost anything with a skillful mix of charm, charisma, slight exaggeration, and clever marketing.
  • el3ctro, on 10/12/2007, -0/+1dude this concept is nothing new, this crap has been around for a while now.... k ..how stupid can people be ? i guess pretty stupid
  • scottschiller, on 10/12/2007, -0/+1Good find, unfortunate hole. Enabling plug-ins to call javascript directly (or rather, building them with that in mind) in the browser is just another potential attack vector that has to be considered.

    I'm not sure of the exact details, but Flash 8+ has the same capabilities with ExternalInterface (bi-directional js-> flash and flash-> js), and Flash for years has been able to call external javascript: URLs. Since the script runs within the context of the host page, it is able to do anything it wants. I *think* Flash 9 fixes this with the allowScriptAccess attribute on the object/embed tag or some other update. MySpace I believe recently pushed Flash 9 for their site recently to get around this issue.
  • el3ctro, on 10/12/2007, -0/+1dude this concept is nothing new, this crap has been around for a while now.... k ..how stupid can people be ? i guess pretty stupid
    all this is , is just uneducated users... the users need to realize that viruses are out there, and usually can be very similar in form ... in many ways .. dude... im terrible at explaining crap, but this has nothing to do with quicktime sucking, or apple sucking, or myspace or WHATEVER dude... this could happen with any program any website..... holes happen, and uneducated users happen. its inevitable no matter the program or the website.


    i love how i talk about uneducated users, and manage to double post, ROFL
  • Fetching more discussions...
    Show 51 - 100 of 101 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.