A XSS worm is spreading like wildfire through MySpace, infecting user accounts and modifying the profile and pages by replacing links. Like most cyber attacks, the MySpace worm relies upon a combination of approaches. This one is based in Javascript, CSS, HTML and uses Apple’s QuickTime component as a supporting vehicle.

An XSS attack, blogged about back on September 5th in GNUCITIZEN, is being combined with a two-week-old known vulnerability in MySpace. This vulnerability was highlighted on November 11, 2006 in Computer Academic Underground ‘s Advisory ID CAU-2006-0001 entitled “Myspace.com Trojaned Navigation Menu”. The crux of the advisory is that given that MySpace users can enter CSS into their pages, the official MySpace menu bar can easily be hidden and then replaced with a bogus menu bar.

This latest attack (not the first unleashed on MySpace), relies on an activity that users don’t give a second thought: clicking on a video. In the case of an specially crafted video, the user’s account is then plunged into phishing hell.

The vehicle for the attack is Apple’s QuickTime, which provides the ability to embed links into movie files. In this attack, this capability is being used to execute javascript that rewrites the MySpace menu (using the CSS method), in order to phish for account credentials and redirect clicks to other URLs.

The attack is particularly viralent given the nature of MySpace; an interconnected series of social networks made of of friends who share video and audio clips, among other things.