Saturday, November 10, 2007

Alicia Keys Unplugged: The MySpace Hack

The Alicia Keys MySpace hack has been in the news this week. Several researchers, including Chris Boyd, and our friends over at (Authentium partner) Sunbelt Software, have blogged about this attack. Roger Thompson at Exploit Prevention Labs recorded a video of the hack.



The hack uses an interesting approach. A large transparent image (8000 x 1000 pixels) is inserted into the page containing a hyperlink. Clicking anywhere on the page, other than on a legitimate link or an image with a higher z-index, places a GET request to a malware server in China, which then offers up a dialog box , inviting the user to install a new codec in order to properly view the content they are requesting.

Chris Boyd, Director of Malware Research over at spywareguide.com, recently blogged about a series of similar attacks on the sites of other musicians, and provided this snippet of code for those interested (note: the URL shown here is the same as the URL mentioned by Thompson):


The codec isn't required and doesn't exist, or course - and as Thompson demonstrates in the video, you don't have to click on the dialog box to be "owned": you were owned the moment you made the first click on the page.

Q. So where does this lead?

Firstly, the Alicia Keys MySpace page is toxic until proven otherwise, and may suffer permanent damage. But what of the parent site itself?

Obviously, the social networking sites don't yet feel these forms of attack are bothering users enough to prove fatal, or overly-damaging to their brands. And there has yet to be announced a venture-backed social networking site based around a promise to scan all code and content.

But that doesn't mean the slow "drip, drip, drip" of user discontent hasn't started...

I'm not aware of any active research groups that are tracking defections away from MySpace, or any of the other social networking sites, based on a negative reaction of the user population to the presence of malware, but you have to wonder: at what point will the parasite cause the fatality of the host?

Medical researchers have studied and now understand the "parasite density" levels various organisms are able to tolerate up to the point at which a fatality occurs - but no corresponding data is available regarding how tolerant a user population might be of a highly-compromised social networking site.

Attention computer science grads looking for a thesis - here's a subject that should prove interesting: At what point does a social networking site become so rife with malware that it can no longer survive?

1 comment:

Anonymous said...

This is a big one. MySpace has a really big problem as of today.

Up until now, it was fine. This latest hokey-pokey is intolerable.

We managed our account regularly, but this crosses the line between my responsibility to keep it cleaned up, and MySpace's responsibility to handle global threats to its property.

It is useless as it is today. Will we check back tomorrow? Maybe.

It's too bad, because social networking is a good concept in the absence of the town squares of yore.