QuickTime HREF tracks functionality can potentiate phishing (MySpace vulnerability): Avoiding

News outlets are buzzing about a newly exploited -- but long extant -- phishing vulnerability that in part rests on the ability of QuickTime movies to automatically and involuntarily open URLs.

The exploit is carried out through the "HREF tracks" functionality in QuickTime. Essentially, HREF tracks allows the movie author to specify JavaScript functions or Web pages that load a specific browser frame or window when a QuickTime movie is played. This tactic is used by some movie trailers, for instance, to automatically lead users back to the associated promotional Web site.

The current manifestation of this flaw involves MySpace user profiles. When user A is logged into MySpace and plays a malicious QuickTime movie stored in user B's profile, JavaScript code is executed that makes changes to User A's profile -- embedding links that lead to phishing sites and placing a copy of the malicious QuickTime file on user A's profile page. The placed links can lead to spoofed (fake) MySpace login pages that cull username/password data.

In theory, this flaw is platform-agnostic, but we haven't been able to find a test version of the exploit to evaluate on Mac OS X systems running Safari/Firefox.

We're watching for more details on this issue as they emerge, but for the time being, users should be wary of playing embedded QuickTime media on MySpace profiles, and avoid clicking on links in non-default profile navigation bars.

Also, open System Preferences and click on the "QuickTime" pane. Click on the "Browser" tab an un-check the option to "Play movies automatically."

Feedback? Late-breakers@macfixit.com.

Resources