An XSS attack, blogged about back on September 5th in GNUCITIZEN, is being combined with a two-week-old known vulnerability in MySpace. This vulnerability was highlighted on November 11, 2006 in Computer Academic Underground ‘s Advisory ID CAU-2006-0001 entitled “Myspace.com Trojaned Navigation Menu”. The crux of the advisory is that given that MySpace users can enter CSS into their pages, the official MySpace menu bar can easily be hidden and then replaced with a bogus menu bar.
This latest attack (not the first unleashed on MySpace), relies on an activity that users don’t give a second thought: clicking on a video. In the case of an specially crafted video, the user’s account is then plunged into phishing hell.
The attack is particularly viralent given the nature of MySpace; an interconnected series of social networks made of of friends who share video and audio clips, among other things.