MySpace.com security patch failed, users at risk

Chapin Information Services discovered that efforts by MySpace.com to repair its website last year were inadequate to protect users from a new type of Internet attack.

Using the original method that was employed during an October 2006 attack, and with one minor change, a Reverse Cross Site Request (RCSR) can still be injected into a MySpace.com E-Mail message.

Vulnerabilities of this nature allow attackers to change the appearance of the website and trick the user’s computer into sending a username and password to any destination. In this case, the MySpace.com login form can be duplicated exactly, or the attack can be made invisible to the user.

MySpace.com is a popular website that allows users to create web pages and emails using custom HTML. Because of the security risks involved in allowing users to create content, it is customary to reject raw HTML, or to evaluate it to verify the codes are completely valid.

However, MySpace.com uses neither approach. Beginning last year, the phrase “type=password” has been removed from all emails to prevent these types of attacks from happening.

This discovery by CIS of a new bug shows the current approach has been inadequate, and has left passwords vulnerable to theft. Users who visit MySpace.com using Mozilla Firefox are advised to disable the Password Manager feature immediately.