Featured Article: Editorial - Mac's Market Share and the Cascade Failure of Windows
Understanding the QuickTime/MySpace Phishing Threat
by , 7:55 AM EST, December 5th, 2006
Reports of phishing exploits on MySpace Web pages that host QuickTime files have reached a fevered pitch - unfortunately most of those reports are slim on details. The potential threat is real, but understanding what it is can help you avoid accidentally giving up your personal information.
What It Is
The phishing threat on MySpace takes advantage of QuickTime's ability to automatically play Web page movies and open URLs. These features are used for legitimate purposes all the time, but they can also be used to unknowingly redirect someone to an alternate Web page or run malicious JavaScript code.
In this case, code is being used to trick users into giving up personal information: A phishing scam.
How It Works
Since this threat is being used on the MySpace social networking Web site, you first need to have a MySpace User Profile of your own. If you are logged into MySpace and view a maliciously crafted QuickTime file on someone else's MySpace page, JavaScript code can be added to your MySpace page that makes changes to your user profile.
The malicious QuickTime file can modify your MySpace page by adding links to fake MySpace pages that collect user names and passwords. The file can also copy to your account without your interaction.
What You Can Do
Avoid playing QuickTime movies and audio files on MySpace profile pages. Disabling QuickTime's auto-play feature is a good idea, too. Here's how:
- Choose Apple menu > System Preferences to launch System Preferences.
- Select the QuickTime Preferences Pane.
- Click the Browser tab.
- Uncheck Play movies automatically.
 Disable QuickTime's auto-play feature. |
|---|
Observer Comments
From the article:
QuoteIs this the only way to be unknowingly redirected to an alternate Web page?you first need to have a MySpace User Profile of your own. If you are logged into MySpace and view a maliciously crafted QuickTime file on someone else's MySpace page, JavaScript code can be added to your MySpace page that makes changes to your user profile.
QuoteAvoid playing QuickTime movies and audio files on MySpace profile pages
In other words, this wouldn't happen if I view the maliciously crafted QuickTime file while not logged in to MySpace, or if I wasn't a member of MySpace to begin with.
QuoteIf I have a website with QuickTime movies in it - and people disable this feature - will they still be able to view my movie?Disabling QuickTime's auto-play feature is a good idea
QuoteYeah I know, right? Those poor innocent security companies are just trying to make the World a better place. They certainly would never do anything (such as provide detailed instructions) that would cause such exploits to further spread. Such things would definitely not be in their best interests. They are only looking out for us, the common people.felixgardian wrote:
Don't be an idiot, the public has a right to know about security flaws. You can not punish legit people becuase of tools.
Like if a scientist found some new deadly poison that was easy to make and was undetectable, he should take out a full page ad out in the New York Times telling everyone how to make it. The public has a right to know! Guns don't kill people. They are just a tool.
So you would rather live in danger with your ignorance?
QuoteBiff wrote:QuoteYeah I know, right? Those poor innocent security companies are just trying to make the World a better place. They certainly would never do anything (such as provide detailed instructions) that would cause such exploits to further spread. Such things would definitely not be in their best interests. They are only looking out for us, the common people.felixgardian wrote:
Don't be an idiot, the public has a right to know about security flaws. You can not punish legit people becuase of tools.
Like if a scientist found some new deadly poison that was easy to make and was undetectable, he should take out a full page ad out in the New York Times telling everyone how to make it. The public has a right to know! Guns don't kill people. They are just a tool.
Tue Dec 05, 2006 4:18 pm Subject: Re: So many articles...
QuoteAnonymous wrote:
on this site are regurgitated right from macfixit
Guest -
When we write articles that use information from other sources, whether that's the Wall Street Journal, New York Times, or macfixit.com, we always attribute the source. This article includes my own research, but if macfixit.com had information that I felt I needed to add, you can rest assured I would cite them accordingly.
The last time I recall regurgitating anything, I had a nasty case of the flu.
Jeff
I'm sure that all the script kiddies will get right on that one, like the huge gamut of problems the Mac has right now with security flaws being detailed publicly...
QuoteGuest wrote:
To the comment below: No I wouldn't, but that still doesn't mean the details have to be made so explicit that others can set up more exploits.
Quotefelixgardian wrote:
So you would rather live in danger with your ignorance?
Wrong.
QuoteGuest wrote:Quotefelixgardian wrote:
I'm sure that all the script kiddies will get right on that one, like the huge gamut of problems the Mac has right now with security flaws being detailed publicly...
Can you honestly say that making certain exploit details more explicit won't entice more nefarious actions by "script kiddies" or other unscrupulous parties?
You seem to be ignoring that there might be an increasing negative tendency towards a lack of discretion in security-related information being publicly disseminated, which is one of the points made in this article:
http://alastairs-place.net/2006/11/dmg-vulnerability/
Just because you or I may have the ability to understand and handle these issues in proper context doesn't mean everyone does.
I suspect it is a reference to the historical lack of urgency in fixing security issues exhibited by software companies (Apple included... ping of death, anyone?). This can be due to internal infighting, or simple ostriching. While notifying the affected company first is good practice, putting them on notice that you will publicise the flaw after a set period of time tends to concentrate minds.
In any case, the moment any fix is released, the "Bad Guys" will be able to reverse-engineer it, and use that knowledge to attack unpatched systems.
Recent Headlines - Updated Friday, July 4th, 2008
- Fri., 7:30 AM
- Happy Fourth of July!
- Thu., 4:50 PM
- Apple Slashes $400 from SSD Drive in MacBook Air
- 4:05 PM
- It's Official - Firefox Sets Guinness Record for Downloads
- 3:30 PM
- Apple Files Patent for a Multi-touch Gesture Language
- 2:20 PM
- Editorial - Mac's Market Share and the Cascade Failure of Windows
- 1:35 PM
- iPodObserver - Apple Slurps Up Samsung's NAND Flash for iPhone 3G
- 1:05 PM
- WSJ: Tips for Switching from Windows to Mac
- 12:05 PM
- iPodObserver - Google Intros Google Talk for iPhone
- 11:35 AM
- iPO Just a Thought - iPod nano Versus iPhone: Decisons, Decisions...
- 10:55 AM
- YouTube Ordered to Turn Over All User Records to Viacom
- 10:10 AM
- Hot Forum Topic - Apple vs. Cell Carriers: Who's Winning the Game
- 9:25 AM
- iPodObserver - Rumor: Best Buy, Radio Shack to Sell iPhone 3G
- 8:45 AM
- .Mac Bookmark Sync Deadline Extended to July 6
- 8:10 AM
- Adobe Reader 9 Hits the Streets
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
- OWC: Juice up your iPod w/NewerTech High Capacity Battery from $19.99 Free Installation Videos for most models. Pro Installation Service w/FedEx Shipping From $57.95 (Battery Included). - www.MacSales.com
New MacPro Memory 800Mhz With Apple Spec Heat Sink 2GB $104 / 4GB $172 / 8GB $338. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: MacBook 1Gig $39, 2Gig $78, 4Gig $195! Mac Pro 2Gig $115, 4Gig $189! 500G Seagate SATA II $139! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Overstock.com: $10 Off Orders of $150 or More - New Customers Only 
Harman Kardon EP 730 In-ear Noise Isolating Earphones With Volume Control: $52.99 Delivered 
Archos 604 30 GB Ultraslim Portable Digital Media Player and Recorder: $169.99 Delivered 
Western Digital 320GB My Passport Essential USB 2.0 Portable Hard Drive: $128.99 Delivered 
Cavalry 1TB Hard Drive - RAID 1 (500GB Mirrored) - Interface (USB 2.0) External Hard Drive: $189.99 
