MySpace blames Apple and QuickTime for hacked accounts

A malicious QuickTime movie made the rounds across MySpace profiles last weekend, altering user profiles and changing links on their pages to redirect to phishing websites crafted to look like MySpace logins. The movie, CNET reports, actually capitalized on a MySpace flaw and QuickTime's legitimate support for JavaScript to craft what has been dubbed the Quickspace attack. It is also worth noting that while this movie could infect users who simply viewed a compromised page, the attack (as far as we know) only works on IE and Firefox in Windows (in other words: if you're on a Mac, you can resume your regularly scheduled MySpace obsession).

Yesterday, MySpace's chief security officer Hemanshu Nigam contacted Apple to request a fix to plug the hole, even though it was a flaw of MySpace in combination with a legit feature of QuickTime that caused all the damage. Apple is reportedly working on a fix, but for now the two companies have ironed out some workarounds, such as blocking all the phishing URLs and scrubbing their network for compromised profiles.

On a side note: what exactly does one gain from harvesting MySpace account logins? Wouldn't oh, say, credit card numbers be a little more productive? I know there's a lot of kids out there who bank on whether they're in some people's top 8 spaces, but I'm still having a hard time seeing how or why phishers would deal in the same currency.

Thanks Daniel