Jim and James over at HotOrNot.com just made some major changes…

Just wanted to drop you a note to let you know that we’ve made HOTorNOT free! You no longer need to buy a star membership in order to write your double matches ;)

We’ve made a lot of changes to the site recently and much more is in the works. So if you haven’t been on in a while, log back in and check it out!

The free as in beer thing was inevitable with all the social networking sites now. The only surprise was that it didn’t happen sooner. The “lot of changes” line piqued my interest enough to log in to see what was up though. That’s where I found the huge surprise: a site finally managed to be less secure than MySpace. Seriously, it’s that bad. The new Hot or Not is wide open to massive spam campaigns, XSS worms, and all sorts of tomfoolery. It is nothing short of being the Script Kiddies and Spammers Paradise of the moment.

After giving myself a two minute self tour, this is what I discovered and was able to do:

The “lot of change” that opened the flood gates is their new “Super Profiles”. There’s nothing really super about them. They are just profile pages with some extremely basic social networking features. Just like in MySpace Land, the user customization is where it gets ugly.

continue reading "Hot or Not Revamped: Script Kiddies and Spammers Paradise"

For the love of strippers and one dollar bills, you would think that the QuickTime mess over at MySpace would be over by now. Well, it’s not. Here we are with a new QuickTime worm over 30 days after MySpace and Apple completely botched up their security patch effort which resulted in a goofy blame game and MySpace Tom getting Pwned. About the only thing it didn’t result in was a patch that actually worked. The kicker about this “new” worm is that it’s anything but new. It’s using the exact same JavaScript from the last worm.

How do you know it’s the same JavaScript???
Because it still has comments in the code made by Billy Hoffman of SPI Dynamics from when he posted it.

Meaning exactly what?
The lamer behind this worm swiped the code from a site whose purpose in posting it was to “learn more about these types of worms and help other online applications and communities protect themselves”. In all fairness to Billy Hoffman and crew: they didn’t even post the code until after MySpace had supposedly patched the issue.

To add even more unoriginality to this worm, it added some text to everyone’s Hero section who got infected:

Sorry Nathan, but you ain’t no Samy. Adding a couple snippets of code and removing a few from someone else’s scripting doesn’t make you a super hacker genius. It does make MySpace look like total retards though. lolz

As of right now, this worm has been neutrilized by MySpace. They added the current url the files are sitting on to their filter list (crosssiterequest.somee.com). Of course they had just finished getting all those files pulled from a free 110mb.com hosting account. So, this kid will likely just keep jumping from free host to free host with this crap.

“MySpace Still Plagued By QuickTime Worms”
Yeah, I put that “s” in the title of this post on purpose. This isn’t the first “new” worm I’ve noticed on MySpace. They had one going around that added “Anthony G is my Hero” with the “G” linked to a MySpace profile. And, another one that was/is changing people’s display names. And, and, and… I haven’t been on MySpace much lately, but I’m sure there have been others.

A few weeks back I posted this blog entry predicting that QuickTime embeds would be used for upcoming MySpace worms and other evilness. Sure enough, ten days later I broke the story of the latest worm to hit MySpace. After my buddy PaperGhost wrote about it on his personal and company blogs it exploded all over the interwebz.

The cleanup process has been laughable at best so far. Brian Krebs over at the Washington Post slammed Apple and MySpace for the “yes, we is be retarded” move of having MySpace distribute a patch for QuickTime. And, MySpace has been playing the blame game by insinuating that Apple is at fault for the worm.

continue reading "Myspace Tom Pwned While Trying to Blame Apple"

Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.

continue reading "MySpace Worm: Phishing Accounts and Spreading Zango Porn"