Network News

X My Profile
View More Activity

MySpace Attacked by Flash Worm

A number of personal pages on the social networking site were attacked over the weekend using a security flaw in Macromedia Flash -- a flaw that Adobe released a patch to fix just last week. The worm spreads each time a MySpace user visits an infected user-profile page.

MySpace sent out a notice to all of its users late yesterday, saying the worm only appears to have affected people with vulnerable Flash players. Last week, Security Fix urged readers to upgrade their players to v. 9.0, noting that Adobe had fixed a flaw which could let bad guys hijack your browser if you were to merely browse a Web site that exploits the vulnerability. The Adobe update fixes the vulnerability in The patch fixes the vulnerability Internet Explorer, Firefox, Netscape and Opera.

From the bulletin:

"Latest Update: 05:15PM PST, Monday, July 17th. hey folks - we are moving myspace music players and video players to flash 9.0. flash 9 has security fixes so that people can't mess with you on myspace. if your 'about me' got screwed up this weekend, you could have been safe if you had flash 9 installed. here's an easy way to install it, go watch this dashboard video i posted last week. if you don't like dashboard, just watch any video in our video section, and you'll be prompted to install flash 9."

Bloggers at had warned on Sunday that the attack was under way, saying a social-networking worm was altering users' "About Me" pages to redirect visitors to a Web site blaming the United States for the attacks of Sept. 11, 2001.

The MySpace bulletin doesn't say what else users should do besides upgrade Flash. gives instructions for removing the worm cod: "Visit your Myspace homepage, click on edit profile, remove the lines below from your About Me section (I added some letters to the code so it won't work here, but you shouldn't have any trouble recognizing it on your own pages):

fembed ffallowscriptaccess="fnever" src=

This isn't the first time security flaws have been targeted to manipulate MySpace pages. Last fall, a teenager going by the name "Samy" used Javascript vulnerabilities in MySpace to add his profile to the "friends" listings of more than a million user pages before administrators closed the hole.

This latest attack won't be the last, either. Over the past few days, I've been communicating with a group of dedicated and talented hackers who are plotting all kinds of mischievous tricks against social networking sites via security weaknesses. Stay tuned.

By Brian Krebs  |  July 18, 2006; 9:19 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: EBay Fixes Serious Security Hole in Picture Tool
Next: Hacked Ad Seen on MySpace Served Spyware to a Million

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company