Roger Thompson of a company called Exploit Prevention Labs has posted a video (above) explaining how Alicia Keys’ MySpace page was hacked, although not in the sense that anybody gained actual control over the page.
Rather, someone managed to get a link onto the page that became activated no matter where the user clicked. Users who tried to play any of the multimedia embeds on the page were redirected to a Chinese website that prompted them to install an ActiveX component. Since this ActiveX component appeared to be from the Alicia Key page and necessary to play the multimedia, many users were prone to confirming the installation thereby compromising their computers’ security.
Thompson notes that MySpace pages are particular prone to such exploits because their complexity can lead to user confusion. Since this video has been published by a company that sells software to prevent such exploits, I’m a bit wary to believe his suggestion that such attacks are on the rise (although they very well could be). In any case, it serves as a good reminder to all of us never to install software, ActiveX or not, from untrusted websites, among which you should count MySpace and other social networks.
This is not the first time we’ve seen MySpace pages messed with in ways that border on hacking. Last March John McCain found his MySpace page inadvertently promoting a position he had not officially taken.
fyi, i wrote about the hack as well (click my name) – what’s amazing about it is that it uses simple html and css positioning – no script code required. Pretty scary stuff.
SUX SUX
Yeah and OpenSocial is VERY Open — see my blog for more:
http://www.ryanmerket.com/blog
Open is good … not an excuse for not secure.
Yes I agree
I hate MySpace, though they have been doing a decent job recently – though just catching up with Facebook. McCain wasn’t a hack at all, he was leeching someone else’s image.
Yes, McCain’s wasn’t a hack. Mike Davidson just changed the image that McCain was leeching. That’s not a hack at all.
So what
by the way – stern. Stop being a TC groupie.
This is what happens when you adopt music as a mainstream factor in a social platform. Reason why never happens to Facebook..
Oh no, not Alicia Keys!
I sent a message to the Alicia Keys profile back in September about this hoping whoever ran the profile would take care of it, but I doubt they ever read it.
Not our fault!
Blame the clever hackers!
Macs use active-x too!
I love Alica!
A patch is already on the way!
http://fakestev...er.blogspot.com
Yawn. Why is this a story?
P.S. This technique has been in use on many MySpace pages for sometime. The alicia keys page has been compromised. It’s a link designed with an invisible gif background with an excessive height parameter in its styling definition. Because styling has been disabled from profile comments, it can only be procured within the profile itself (which is why I say the alicia keys account really was hacked into). I’ve seen it done with many different follow URLS for sometime now. It’s been used before to direct users to fake myspace login urls. At one point this same technique of styling was used to create myspace phishing login pages directly in profiles. I do my part and report the pages to MySpace or send a message to the user him/herself.
The technique is simple and effective (abs-positioned link with a large width/height, high z-index and so on) – more interesting/disturbing is how someone managed to get that code into that profile page.
High-profile sites are popular targets for XSS-type hacks given the traffic and user base they attract. I’ve also heard of shady hosts injecting iframes loading exploit code on some sites – quite sketchy.
It was earlier Google Opensocial , now it is myspace, the hackers are going smarter these days.
I’d love to get mey chance to hack at Alecia!
http://fakestev...er.blogspot.com
so what
Think that’s bad? I know forums where malicious high-jackers can, with next to no work, shamelessly plug their own worthless blogs without contributing to the content of the thread! No ActiveX even required!
Maybe the hacker had just recently fallin in and out of love with Alicia Keys.
…get it?
Brian Wilson, Zolve.com
Looks like myspace fixed it. Cool.
This is not just an Alicia Keys problem. Just happens to be the only one getting a lot of press right now. Chris Boyd, better known as Paperghost brought this to light Oct 31. I know of another artist, Shannon Haley that has her page Hacked 2 times since early October. She is an up an coming artist and had over 69,000 friends on her site before she was hacked. MySpace “fixed-it” just today, however she only has 263 friends now. She is competing on FameCast and lost her complete MySpace fan list. Makes it rough for the artist that does not have same pull with MySpace as Alicia Keys. The hackers are running wild on MySpace and it appears that MySpace could care less. That is unless your a top name artist.
Go to my blog and take a look at another example of a Spam/Hack/Scam on MySpace that even has their logo and picture of Tom. I have reported over 100+ of these but only a few have been removed. Can’t even get a response from MySpace.
Fred Mitchell
http://deltamus...ve.blogspot.com