____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2006-0001 Release Date: 11/16/2006 Title: Myspace.com Trojaned Navigation Menu Application/OS: Myspace.com Website Topic: Myspace.com's navigation menu can be replaced with a malicious menu via CSS code in the attacker's profile. Vendor Status: Not Notified Attributes: Remote, Passive Advisory URL: http://www.caughq.org/advisories/CAU-2006-0001.txt Author/Email: int3l I)ruid ===============/======================================================== Overview ======== Myspace.com provides a site navigation menu near the top of every page. Users generally use this menu to navigate to the various areas of the website. The first link that the menu provides is called "Home" which navigates back to the user's personalized Myspace page which is essentially the user's "home base" when using the site. As such this particular link is used quite frequently and is used to return from other areas of the website, most importantly from other user's profile pages. A content-replacement attack coupled with a spoofed Myspace login page can be used to collect victim users' authentication credentials. By replacing the navigation menu on the attacker's Myspace profile page, an unsuspecting victim may be redirected to an external site of the attacker's choice, such as a spoofed Myspace login page. Due to Myspace.com's seemingly random tendency to expire user sessions or log users out, a user being presented with the Myspace login page is not out of the ordinary and does not raise much suspicion on the part of the victim. Impact ====== Users are unexpectedly redirected to a website of the attacker's choice. Users may be tricked into revealing their authentication credentials. Affected Systems ================ Myspace.com: http://www.myspace.com Technical Explanation ===================== The following CSS code can be submitted to a user profile's "About Me" section which will cause the Myspace navigation menu not to be displayed: This allows the attacker to replace it with a malicious navigation menu which may redirect users to an external site spoofing the Myspace login page. If the user is successfully tricked into believing that they must re-authenticate, they will inadvertently reveal their authentication credentials to the attacker. Solution & Recommendations ========================== Myspace should not allow users to add CSS code to their profiles via the update profile form. This restriction can be accomplished by rejecting such submissions or stripping the code out of the form input when submitted. Users should always be aware of the URL information in their browser. As a temporary work-around, users should not use the navigation bars while viewing an untrusted user's Myspace profile. Exploitation ============ Place this code in the "About Me" section of the attacker's Myspace profile:

Home | Browse | Search | Invite | Film | Mail | Blog | Favorites | Forum | Groups | Events | Videos | Music | Comedy | Classifieds

References ========== Myspace.com: http://www.myspace.com Credits & Gr33ts ================ CAU _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/