BlackHat goes Social networking!
Deacon said the flaw he discovered requires that a user click on a link that leads to a Web page where the computer's "cookie" information is stolen. Deacon said he discovered the problem several months ago along with several other researchers and alerted MySpace, but the company didn't fix the problem.
"Facebook and MySpace both patch things that they find, but it's like a sandbox," Deacon said. "There's so much. And there are probably hundreds more cross-site scripting vulnerabilities there. There's no way they can find them all."
A MySpace spokeswoman declined to comment specifically about Deacon's presentation. The company said in a statement that "it's our responsibility to have the most responsive, solely dedicated 24-7 safety and security team, and we do."
In a separate demonstration, Robert Graham, chief executive of Atlanta-based Errata Security, showed a program for snooping on the computers on public wireless networks to steal the "cookie" information and hijack e-mail accounts and personal Web pages on social networks.
In his Black Hat presentation, he took over the e-mail account of an audience member using Google Inc.'s Gmail service. Graham said his program demonstrates the vulnerability of public wireless connections.
"Everyone has gotten into their minds that passwords over WiFi are toxic, so let's fix that, and they have," Graham said. "What I'm saying is that everything else is just as toxic."
Graham's demonstration would not have worked if the audience member had been using the encrypted version of Gmail.Google declined to comment specifically on the presentation but said the company is expanding its capacity to enable automatic encryption for all Gmail users.
AP news at ABC