Rosario Valotta sent us an interesting
article about his discovery on MySpace. It looks like MySpace has launched a
mobile version of its portal, this version allows visitors to do pretty much everything, including editing your profile, however, this version does absolutely the contrary than the main portal: it filters outputs (when printing the profile content), while the main portal filters inputs (when inserting/modifying profile entries). This allows anybody to insert any javascript/html code into his profile through the mobile site and "own" users who view his profile on the main portal!
But what is worse is that when they will *fix* the problem by filtering the inputs on the mobile portal, it will not change the profiles with javascript/html entries, just like it happened with
other XSS holes in the past! This vulnerability cannot be used to propagate a worm, as the mobile portal uses only its own authentication process, but still it can be exploited to steal cookies/accounts, or for phishing attacks...