MySpace Flash Virus Spreading like Wildfire

MySpace Flash Virus Spreading like Wildfire

I posted the following as a bulletin on MySpace, but I figured it might be best to post here too (for the good of Google). More people need to know about this. Also, here’s a link to my MySpace.

Several important things before the explanation:
1) I didn’t post the “Fuck all ya’ll niggas” post
2) I didn’t post the “Get free laptops” or whatever post
3) If you viewed the former, you should look at the bulletins “you’ve posted”

If you actually know me, you probably know I didn’t post either. It appears what happened is that there is a flash “virus” going around via bulletins.

Normally stupid people are fooled into clicking on “surveys” or whatever like “Do you think Bush is a good leader?” In actuality when you click on those, it is posting back to a form on MySpace’s servers. Since the people who made those forms are too stupid to verify the referrer, that tricks people into having bulletins posted as them. I was actually laughing about this phenomenon with people at lunch on the Friday before last.

However, I specifically remember looking at Chele‘s “18 and older pics” bulletin that I now realize she probably didn’t actually post. I use Firefox and the Adblock Plus extension, so I see an Adblock tab on all flash applets. One showed and I specifically remember clicking on it and seeing an offsite, invisible flash applet that was titled bob.swf.

It didn’t do anything, so I figured it was a failed slideshow or something she tried to post. Apparently that must have “infected” me. When flash runs inside the browser, it runs inside the context of the currently logged on user… in this case, me. It also has all the rights and privileges of the logged on user, including posting of bulletins. Since it can read the current url, it can also get the “token” and cookies that are used to identify a user on MySpace.

So, while I was looking at a page that was seemingly doing nothing, there was a Flash applet posting as me on myspace. So now I have no idea what has been sent because it could have just as easily deleted messages from my outbox after sending them.

Again, this is not my fault, since I just viewed a bulletin, but I thought it might be advisable to anyone using Firefox and Adblock to block: http://*/bob.swf

That file name can (and probably will change), but myspace needs to stop flash from loading in bulletins or actually implement some kind of captcha or something for posting.

If you aren’t technical enough to understand all of what I just posted, you’re probably one of the people who posts bulletins unknowingly because you want a “friends tracker” or something, so it’s not like it changes your life anyway. This is an interesting attack vector, though.

So, if you use Internet Explorer, you’re screwed. You’re going to be posting bulletins that you don’t want to post. If you use Firefox, do what I’m about to do and install the Flashblock extension. It requires you to click on a flash animation to start it. This will prevent the automatic infections (unless you click on it).

I hope this helps someone else.


I hope that clears some things up and I hope that it helps some other people as well who may be less technically inclined. Much to my chagrin, many things have been going out as me, including racist posts, thanks to a combination of MySpace insecurity and Macromedia Flash.

Author: Chris Benard

Chris Benard is a software developer in the Dallas area specializing in payments processing, medical claims processing, and Windows/Web services.