Recently we’ve encountered a cross-site scripting attack that targeted the Chinese social networking site Renren. Fortunately for users, it was quite harmless as far as these kinds of threats go—but it could have been much, much worse.
Renren users received messages from their friends with a link that pointed to a video of the Pink Floyd song Wish You Were Here which is detected as SWF_EXECJS.A. When the user clicks the said link it executes SWF_EXECJS.A, which does show legitimate video of the song, as seen below:
Figure 1. Legitimate video played by XSS attack
However as the video is shown, SWF_EXECJS.A connects to a URL to execute a script detected as JS_DLOADR.ATJ. JS_DLOADR.ATJ searches for cookies related to Renren and then sends out messages with a link to the same video to everyone on the user’s list of friends. These routine are all done automatically, without any input or consent from the user.
As it is, the attack was fairly limited, but it could have been much worse. It could have taken a page from KOOBFACE malware and sent out links to malicious sites, for example. Such attacks would be enough to put a truly ironic twist on the video used for this attack. As it is, all it did was annoy some people and embarrass Renren.
Similar attacks that do little have hit social networking sites before, most notably Orkut, which is owned by Google.
Both components of this attack are detected by the Smart Protection Network.