MySpace gets XSSed again

Written by KF

Tuesday, 22 January 2008

Rosario Valotta sent us an interesting article about his discovery on MySpace. It looks like MySpace has launched a mobile version of its portal, this version allows visitors to do pretty much everything, including editing your profile, however, this version does absolutely the contrary than the main portal: it filters outputs (when printing the profile content), while the main portal filters inputs (when inserting/modifying profile entries). This allows anybody to insert any javascript/html code into his profile through the mobile site and "own" users who view his profile on the main portal!

But what is worse is that when they will *fix* the problem by filtering the inputs on the mobile portal, it will not change the profiles with javascript/html entries, just like it happened with other XSS holes in the past! This vulnerability cannot be used to propagate a worm, as the mobile portal uses only its own authentication process, but still it can be exploited to steal cookies/accounts, or for phishing attacks...

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.