Understanding the QuickTime/MySpace Phishing Threat
Understanding the QuickTime/MySpace Phishing Threat
by , 7:55 AM EST, December 5th, 2006
Reports of phishing exploits on MySpace Web pages that host QuickTime files have reached a fevered pitch - unfortunately most of those reports are slim on details. The potential threat is real, but understanding what it is can help you avoid accidentally giving up your personal information.
What It Is
The phishing threat on MySpace takes advantage of QuickTime's ability to automatically play Web page movies and open URLs. These features are used for legitimate purposes all the time, but they can also be used to unknowingly redirect someone to an alternate Web page or run malicious JavaScript code.
In this case, code is being used to trick users into giving up personal information: A phishing scam.
How It Works
Since this threat is being used on the MySpace social networking Web site, you first need to have a MySpace User Profile of your own. If you are logged into MySpace and view a maliciously crafted QuickTime file on someone else's MySpace page, JavaScript code can be added to your MySpace page that makes changes to your user profile.
The malicious QuickTime file can modify your MySpace page by adding links to fake MySpace pages that collect user names and passwords. The file can also copy to your account without your interaction.
What You Can Do
Avoid playing QuickTime movies and audio files on MySpace profile pages. Disabling QuickTime's auto-play feature is a good idea, too. Here's how:
- Choose Apple menu > System Preferences to launch System Preferences.
- Select the QuickTime Preferences Pane.
- Click the Browser tab.
- Uncheck Play movies automatically.
 Disable QuickTime's auto-play feature. |
|---|
Observer Comments
From the article:
QuoteIs this the only way to be unknowingly redirected to an alternate Web page?you first need to have a MySpace User Profile of your own. If you are logged into MySpace and view a maliciously crafted QuickTime file on someone else's MySpace page, JavaScript code can be added to your MySpace page that makes changes to your user profile.
QuoteAvoid playing QuickTime movies and audio files on MySpace profile pages
In other words, this wouldn't happen if I view the maliciously crafted QuickTime file while not logged in to MySpace, or if I wasn't a member of MySpace to begin with.
QuoteIf I have a website with QuickTime movies in it - and people disable this feature - will they still be able to view my movie?Disabling QuickTime's auto-play feature is a good idea
QuoteYeah I know, right? Those poor innocent security companies are just trying to make the World a better place. They certainly would never do anything (such as provide detailed instructions) that would cause such exploits to further spread. Such things would definitely not be in their best interests. They are only looking out for us, the common people.felixgardian wrote:
Don't be an idiot, the public has a right to know about security flaws. You can not punish legit people becuase of tools.
Like if a scientist found some new deadly poison that was easy to make and was undetectable, he should take out a full page ad out in the New York Times telling everyone how to make it. The public has a right to know! Guns don't kill people. They are just a tool.
So you would rather live in danger with your ignorance?
QuoteBiff wrote:QuoteYeah I know, right? Those poor innocent security companies are just trying to make the World a better place. They certainly would never do anything (such as provide detailed instructions) that would cause such exploits to further spread. Such things would definitely not be in their best interests. They are only looking out for us, the common people.felixgardian wrote:
Don't be an idiot, the public has a right to know about security flaws. You can not punish legit people becuase of tools.
Like if a scientist found some new deadly poison that was easy to make and was undetectable, he should take out a full page ad out in the New York Times telling everyone how to make it. The public has a right to know! Guns don't kill people. They are just a tool.
To the comment below: No I wouldn't, but that still doesn't mean the details have to be made so explicit that others can set up more exploits.
Quotefelixgardian wrote:
So you would rather live in danger with your ignorance?
QuoteBiff wrote:QuoteYeah I know, right? Those poor innocent security companies are just trying to make the World a better place. They certainly would never do anything (such as provide detailed instructions) that would cause such exploits to further spread. Such things would definitely not be in their best interests. They are only looking out for us, the common people.felixgardian wrote:
Don't be an idiot, the public has a right to know about security flaws. You can not punish legit people becuase of tools.
Like if a scientist found some new deadly poison that was easy to make and was undetectable, he should take out a full page ad out in the New York Times telling everyone how to make it. The public has a right to know! Guns don't kill people. They are just a tool.
Tue Dec 05, 2006 4:18 pm Subject: Re: So many articles...
QuoteAnonymous wrote:
on this site are regurgitated right from macfixit
Guest -
When we write articles that use information from other sources, whether that's the Wall Street Journal, New York Times, or macfixit.com, we always attribute the source. This article includes my own research, but if macfixit.com had information that I felt I needed to add, you can rest assured I would cite them accordingly.
The last time I recall regurgitating anything, I had a nasty case of the flu.
Jeff
I'm sure that all the script kiddies will get right on that one, like the huge gamut of problems the Mac has right now with security flaws being detailed publicly...
QuoteGuest wrote:
To the comment below: No I wouldn't, but that still doesn't mean the details have to be made so explicit that others can set up more exploits.
Quotefelixgardian wrote:
So you would rather live in danger with your ignorance?
Quotefelixgardian wrote:
I'm sure that all the script kiddies will get right on that one, like the huge gamut of problems the Mac has right now with security flaws being detailed publicly...
Can you honestly say that making certain exploit details more explicit won't entice more nefarious actions by "script kiddies" or other unscrupulous parties?
You seem to be ignoring that there might be an increasing negative tendency towards a lack of discretion in security-related information being publicly disseminated, which is one of the points made in this article:
http://alastairs-place.net/2006/11/dmg-vulnerability/
Just because you or I may have the ability to understand and handle these issues in proper context doesn't mean everyone does.
Wrong.
QuoteGuest wrote:Quotefelixgardian wrote:
I'm sure that all the script kiddies will get right on that one, like the huge gamut of problems the Mac has right now with security flaws being detailed publicly...
Can you honestly say that making certain exploit details more explicit won't entice more nefarious actions by "script kiddies" or other unscrupulous parties?
You seem to be ignoring that there might be an increasing negative tendency towards a lack of discretion in security-related information being publicly disseminated, which is one of the points made in this article:
http://alastairs-place.net/2006/11/dmg-vulnerability/
Just because you or I may have the ability to understand and handle these issues in proper context doesn't mean everyone does.
Quotefelixgardian wrote:
Because it points out your lack of understanding.
Care to be more specific, preferably without the condescending smugness? I thought my opinion was expressed clearly and sincerely, yet you've disagreed by responding with nothing more than "wrong" and accusing me of lack of understanding. Maybe I've misread your intention behind those glib remarks but they seemed disrespectfully distasteful to me. I'd hoped for a bit more civil, interactive discussion even if there's disagreement.
I suspect it is a reference to the historical lack of urgency in fixing security issues exhibited by software companies (Apple included... ping of death, anyone?). This can be due to internal infighting, or simple ostriching. While notifying the affected company first is good practice, putting them on notice that you will publicise the flaw after a set period of time tends to concentrate minds.
In any case, the moment any fix is released, the "Bad Guys" will be able to reverse-engineer it, and use that knowledge to attack unpatched systems.
Comments are currently closed. Please email the author instead.
Recent Headlines - Updated July 9th
- Thu, 3:50 PM
- Ted Landau's User Friendly Blog - User Interface Blues
- 3:42 PM
- Reports - Chrome OS Complicates Apple & Google Boards of Directors
- 1:08 PM
- Deal Brothers - Life ‘09 Software Drops to $59.99 Delivered
- 11:06 AM
- News - TechRestore Posts Stop-motion iPhone 3GS Breakdown
- 10:17 AM
- Hot Forum Topic - Parallels versus Fusion: Reader Favorites
- 9:32 AM
- Product News - LaCie Unveils LaCinema Rugged HD Multimedia Hard Drive
- 8:54 AM
- Product News - CheckUp 2.5 Adds Snow Leopard, New Mac Support
- 8:37 AM
- News - Latest Microsoft Ad Hits at MacBook Price Again
- 8:06 AM
- TMO Appearances - TMO’s Jeff Gamet Dives into Social Media at CoMUG
- 7:30 AM
- The Back Page - Looking Ahead at the App Store’s Future
- Wed, 6:48 PM
- Games - Pipe Mania Puzzle Game Released for Mac, iPhone
- 5:36 PM
- Product News - Apple Releases Safari 4.0.2 with Nitro JavaScript Engine Improvements
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
OWC:
OWC Mercury On-The-Go FW400/800/USB2/eSATA Portables. High Performance A/V Rated. Bus Powered. Up to 500GB in the Palm of your Hand. Macworld Editor's Choice. CNET 'Very Good.' From $75.99!
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!
RamJet Memory: MacBook and MacBook Pro 4GB kits for $57.99! Mac Pro 4GB Kits $99.99! iMac and Mac mini 4GB Kits for $57.99! 1TB SATA Hard Drives for $109.99! Click hereFor the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
