One of the major tenets of the new Web 2.0 religion is user-driven content. In order to function, sites such as MySpace and YouTube must allow users to upload their own images, text, video, and even JavaScript to create dynamic profile pages--turning the conventional security wisdom on its head. So what happens in the few instances when the user's intentions are malicious? In the short term, the site filters the offending tags, JavaScript code, and characters, such as quotation marks. There's a limit to this, however, as you can't filter everything. Now, with at least two attacks on MySpace, it seems that user-driven content sites such as MySpace and YouTube may become the new playground for Internet criminals, taking advantage of both the sites' popularity and their openness to upload whatever code the user wants.
Samy is my hero (not)
In October 2005, MySpace had a problem. MySpace, which is owned by Rupert Murdoch's News Corporation, is the fifth largest domain on the Internet, with more than 70 million registered users, and 1 of its users uploaded a nifty JavaScript virus that spread like a contagious disease. More than 1 million users were infected with Samy. The resulting effect of the virus, however, was relatively innocuous: It added someone named Samy to the user's friends column and appended the phrase "Samy is my hero" to the infected user's profile. When anyone clicked the Samy link within the profile, they also became infected. Billy Hoffman, a security researcher with SPI Dynamics, provided this link for more technical detail on how the Samy virus worked during his talk on AJAX flaws at this year's Black Hat.
 |
Users viewing the infected QuickTime video on Internet Explorer or Firefox found that video had been added to their profile page and that existing links on the profile page had been replaced with fraudulent ones.
|
|
At this year's Black Hat briefings, flaws in AJAX (Asynchronous JavaScript and XML) generated the biggest buzz because it can facilitate, in some cases, cross-site scripting (XSS) attacks. The Samy virus used XSS to jump through the various domains used to authenticate and publish profile pages by MySpace, but it primarily used a poisoned SCRIPT tag to spread its malicious JavaScript. MySpace, after analyzing the worm, then started filtering the SCRIPT tag, along with JavaScript, the use of innerHTML, and the quotation marks symbol.
Quickspace
This past week, MySpace was hit with another worm. The Quickspace worm, dubbed by antivirus vendor F-Secure, exploited a feature called HREF within Apple QuickTime. F-Secure says that infected QuickTime MOV files contain malicious JavaScript code that executes various functions once clicked. HREF within QuickTime has legitimate uses, but in this case, it sent users to well-crafted phishing sites that resembled MySpace login pages.
Users viewing the infected QuickTime video on Internet Explorer or Firefox (Apple's Safari isn't vulnerable) found that video had been added to their profile page and that existing links on the profile page had been replaced with fraudulent ones. Even if you didn't click the video, the links on the infected profile page might have seduced some users into offering their MySpace login information to a third party by mistake. It is possible that this information could be used for advertising or that this whole experience is just another working proof-of-concept for some larger attack down the road. F-Secure says that it has also seen spam associated with the Quickspace worm, and other security sites are noting an increase in spyware installations, as well.
|
JavaScript is the new shellcode, once a favorite way for criminal hackers to wreak havoc.
| |
|
Who's to blame?
Apple is working on a fix for QuickTime, but really the fault lies with MySpace--or rather, with its underlying user model. Filtering user input is hard; it's like filtering port 80 (HTTP). Yet, in order to accept user-driven content, sites such as MySpace and YouTube must both be open and locked down. From what we've seen thus far, this will have to be done on a case-by-case basis. As Billy Hoffman said in one of his two Black Hat presentations that JavaScript is the new shellcode, once a favorite way for criminal hackers to wreak havoc. Shellcode is the loader portion of machine code and is sometimes stored in memory space.
Samy leveraged the fact that MySpace once used eval statements to allow malicious JavaScript statements to be stored inside a string of code. This path has since been closed. Similarly, Apple is expected to limit the way HREF statements are used within QuickTime MOV files, blunting the Quickspace worm. But these changes alone won't stop the criminal hackers from finding yet another method to infect user content. As with shellcode attacks, system administrators will just have to learn to filter content--and hopefully stay one step ahead of a major attack.
Will sites such as MySpace and YouTube become the next target for criminal hackers? Why or why not? Talk back to me.
