Thursday, November 08, 2007

Alicia Keys MySpace page is hacked

Hi folks,

Attacks on MySpace seem to be on the rise. First, at the end of October, there were a number of links added as friend-comments that went via MySpace's open-redirector (MSPlinks) to exploit sites in China. This was reported publicly on the FunSec mailing list. (All myspace friend-comments _seem_ to automatically redirect thru MSPlinks, probably as a way to try to filter out spam and phishing, but a downside is that the URL is base64 encoded, and is thus impossible for a human being to eyeball, and therefore possibly reject ... the effect of the well-intentioned msplinks is thus to make an open-redirector)

Now, we keep finding MySpace pages that have had some sort of image-background link injected, that are reaching out to a different site in China that is both throwing exploits and using social engineering to install rootkits and (probably) dns-changers.

The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size ... 8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site.

The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra.

This could easily be the same group that recently started watching for Mac users, and offering a Mac trojan as needed, and if that's so, will also add to the effectiveness of the attack.

What's not clear at this point is how they're doing it, and how widespread it is. Neither google nor myspace seems to be indexing the critical bit of html. If you search for the exploit site (, the only results seem to be victims, or people talking about victims.

I guess we'll have to wait for MySpace to tell us what happened.

Here's a vid that shows a bit more...





At 3:29 PM, Anonymous Anonymous said...

The user gets that because they get phished, and the phishers put the code over their profile. It is not a security hole in myspace, just that people get phished

At 6:59 PM, Blogger Xone said...

It seems the redirect page has changed to .. that was displayed on the bottom of Firefox

At 8:28 PM, Anonymous Rob said...

Didn't you hear about the 30k user accounts that got hacked 2 weeks ago?
About half of them were in the UK and other half in the US.
They were hacked then the info for the accounts were posted on 10+ file sharing sites so they couldn't be shut down immediately.

At 1:44 AM, Anonymous JetKing said...

Paperghost uncovered this well over a week ago.

At 2:49 AM, Anonymous LoPhat said...

You do realise Christopher Boyd discovered this last week (october 31st) and has already had quite a lot of airtime?,139137-c,hackers/article.html

Its sort of strange that you've been looking at this but not noticed the numerous pieces of coverage on this story. It seems only fair that you should properly credit Boyd in this post, instead of the passing reference to him in your follow up.

At 4:17 AM, Blogger Pete said...

Roger - Great stuff, and good to see you on Tuesday.
- Pete

At 5:00 AM, Anonymous Sujoy said...

Starting over yet again from scratch because of a hack, or ur profile being maligned-that's the worst kinda hit one can get online. My myspace proifle is safe so far. Won't visit the Alicia Keys page. R&B ain't my thing. Lol

At 11:31 AM, Blogger Roger Thompson said...

Could well be so.

At 12:02 PM, Anonymous Anonymous said...

So - have I got this right? Chris Boyd finds the problem, blogs it and alerts the NORMAL people affected. Then, what 9 - 10 days later, when its gilded in celebrity - its found by someone else and claimed? Am i missing something. What happened to crediting the original source. This smells bad.

At 2:20 PM, Blogger Roger Thompson said...

No. Read the rest of the blog. We found it independently.

At 3:04 PM, Anonymous lophat said...

Whether you found it "independantly" or not, the fact remains that (as you mention in your latest blog) someone else did indeed find this, and I just find it quite odd that you didn't check around anywhere before you went live with this to see if it was actually new or not. ten seconds typing "Myspace" into google news would have done it.

Sure, you apologized to chris and admitted he found it. However, this is *after* 50+ major technology and news sites worldwide covered the story and said your company discovered it.

A little late in the day, perhaps?

At 4:18 PM, Blogger Roger Thompson said...

Look, the _really interesting_ bit about this was the fact that it was Alicia Keys page that was hacked, not how the redirect was done. No one cares about the Dykeenies page (sorry Dykeenies), and no one but the geekiest cares about how the href worked, but Alicia has 250k "friends" on MySpace. If Chris mentioned Alicia Keys, I sure didn't know about it. If I did,I wouldn't have done the vid. As I've said before, as I was making the vid, I remembered someone talking about MySpace hacks in some closed security mailing lists, and _that_ was Alex, _not_ Chris. And it was _not_ Alicia Keys.

"A little late in the day"? You can say that if you like, but the fact is _we found it independently_, and were not trying to rip Chris off.

At 6:08 PM, Blogger George said...

Seems like everyone wants to shoot the messenger. What about putting pressure on google and myspace to go after the bad guys who perpetrated the damn thing.

At 4:39 PM, Anonymous Anonymous said...

You know what? It doesn't matter who found the issue at hand. What matters is that every bit of information to the public is greatly appreciated. I never knew about it until now. Some people watch abc news, some people watch cnn, and on the other hand some people just work and have no time to watch tv at all.

At 8:12 AM, Anonymous Anonymous said...

i think myspace is dealing with computer nerds around the world

At 5:52 PM, Anonymous Yami-Horse said...

Well, this hacking thing is exceeding the limits. My friends & I were all got hacked especially those who had over 1k "friends"! What are those hackers up to anyway?

Thanx for posting this anyway, I got those kind of pop-ups & didn't know what to do.


Post a Comment

<< Home