Advertisements hit by a Permanent XSS

Written by KF

Wednesday, 28 January 2009

Note 02/02/09: TrainReq (Josh Holly) reportedly discovered first the vulnerability, in the film profiles.

Daniel Lo Nigro has discovered a trick to bypass the Myspace filters and insert a script on a Myspace band profile. Myspace prevents <script> from behing written in a band website URL but strips out "http://" from it, it can therefore be exploited this way:

URL:<scrihttp://pt src=//>

Or have a look at Daniel's harmless example:

Daniel says he alerted Myspace but that they never answered him.

Here is the mirror of the XSS:

This XSS could be exploited to spread a worm, steal myspace accounts..

In the past Myspace was hit by a number of security issues, including the "Samy" XSS worm.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.