Ay of you who have been reading Brain Handles for a while might remember when I blogged about a CSS Hijack on MySpace back in April.
Well, in recent weeks, it's reared its ugly head in a big way when MySpace pages belonging to Alicia Keys and many lesser-known artists were hacked to dispense malware. And the major component of the hack... Well, let's look at the dissection of the hack over on SpywareGuide.
Scroll down to the first code sample, and there's the hack I was warning you about 7 months ago. But I was being alarmist, since your friends couldn't do this with a comment. It could only be done by you in certain profile sections that you alone controlled. Essentially, you could only hijack your own MySpace page, so it wasn't a huge hairy threat.
A current bone of contention is that MySpace is claiming all the hacked sites were hacked by phishers, while some experts and media members are asking how phishers could have gotten the login credentials for that many band/artist profiles.
Well, let's look at SpywareGuide's code sample. We can see that the code was injected in the "Influences" section. Whether or not all those bands gave up their credentials to phishers, or the attackers found another backdoor in, the hack was placed in a space that only the profile owner should be able to change.
The hackers got access to those profiles that only the owner should have. But even if the owners accidentally gave it away, is it their fault or MySpace's? I say it's MySpace's.
All those cool (or garish) backgrounds and a lot of the other customizing on profiles is done through Cascading Style Sheets (CSS). One thing that advertisers and corporate overlords (like Rupert Murdoch) love is the "time spent on site" measurement. It's not just how many people visited, but how long did they stay. And if MySpace were to secure their pages against such hacks, they'd also secure them against a lot of customizations that their members spend hours playing with and tweaking.
In short, MySpace knew this hack was not only possible, but actually in use, but the quick and easy way of disabling it (disabling the user's ability to add CSS code to their pages) would disable one of the things that help them earn their performance bonuses. And the non-quick-and-easy way must have been judged too complicated or too expensive, so they just left it at the status quo.
And now they're trying to blame it on their users. Well, whether the users gave away their passwords to phishers or not. MySpace left the loaded gun lying around in their profiles. In the end, the blame for the hack is MySpace's and no one else's. But until people start taking them to task for these security breaches and stop letting them blame users, MySpace will keep choosing whizbang over security and MySpace will keep putting millions of users in danger.
Entries (RSS)
If you are stupid enough to give your pass to a phisher then you deserve it my opinion
[...] The recent MySpace hack, where band pages were hacked to cover them up with an invisible link that sent you to a malware infection site, showed that it can be dangerous to let users put HTML in their pages. To allow users to customize their pages with everything from images to new backgrounds, MySpace allowed some pretty complex HTML to be used. Hackers took advantage of that to use some CSS tricks to create those page overlays. [...]