MySpace has removed the profile of a hacker who discovered a way of hacking other users’ MySpace accounts.

Rick Deacon is a US college student who discovered a way of hijacking other MySpace users’ profiles. After he shared his discovery with computer hackers at Defcon, he found his profile had been removed from the social-networking site. He received an email from MySpace telling him his account was deleted for violating the site’s terms of service.

“Obviously they weren’t happy about it,” Deacon told AFP.

Deacon’s attack exploits a “cross-site scripting” vulnerability that involves injecting code onto someone else’s Web page, which can be used as a springboard for more attacks or to infect users’ computers with viruses.

However, Deacon’s method relies on duping MySpace users into clicking on rigged links to allow him take control of their profile.

Deacon disclosed that this kind of security hole is very common to websites using cookie technology, which makes Facebook and Google vulnerable to the same kind of attacks.

MySpace declined to provide a comment about the hacker’s presentation, but said “it’s our responsibility to have the most responsive, solely dedicated 24/7 safety and security team, and we do.”

The weakness has now been patched by MySpace.

After the incident, Deacon has created a new MySpace account and plans not to use it for finding new ways to hack MySpace again.

Related:

Entry was posted on Monday, August 6th, 2007 at 10:03 pm under Security.

Read more entries by Ruben Francia.
Stumble It!