And so when a user goes to MySpace, they become vulnerable to an exploit using Javascript that was put there by a user and was not controlled by MySpace, correct? That exploit happens client-side on the client's browser, but it only happens because the client loaded the MySpace page in the first place. So if the client stayed off MySpace, the problem would never occur.
Exactly. And moreover, if the client doesn't themselves have a MySpace account, there's nothing for the malicious script to vandalize. No exploit, period, in that case. I can visit any malicious MySpace page I want, because I've never registered there, so I don't have a profile that can be vandalized with these methods.
This is kind of an aside, but I really believe that the term "cross-site scripting" to describe this type of vulnerability is a huge misnomer. It's only "cross-site" if the script were somehow able to send information from one site to a completely different site. It is definitely the browser's responsibility to make sure this never happens, and I'm not aware of any open vulnerabilities in the latest browsers that do this.
A true cross-site vulnerability is one where you visit somebody's MySpace page, and a malicious script causes your browser to send your banking website's login creditials to that user's site somehow. All browsers should prevent this sort of attack because any site other than your bank's website has no right to that information.
My standard (the issue of phishing aside) is that a user should be able to go to *any* web page on the internet and should not be vulnerable to either:
(A) that website installing executable code on the client without permission
(B) an unauthorized transmission of information to that website.
Ok, that's fine. The first one, if it were to happen, would be 100% a browser bug. No browser should install and/or execute unknown code without your consent.
The second one depends on your definition of "unauthorized." If you mean "in the background" then removing this feature breaks a lot of recent advances in web scripting technology, collectively known as AJAX. AJAX is here to stay (and to make our lives easier!), and the convention from the start has been that no browser should be able to send any information to a website that didn't originate from that same website -- whether information from your hard drive or from a different website. The definition of "unauthorized" has always been "information that didn't originate from the same site." That is not the same as "unwanted" which is what you may be thinking of. Unfortunately, there is no possible way for a browser to determine what is "unwanted."
It seems from what I understand that there is a true vulnerability here in that, even if MySpace filtered their website effectively, any other website could be infiltrated with the same malicious code involved here, and users who either purposely or inadvertently (e.g. through a pop-up that wasn't blocked) go there would be vulnerable to the same attack.
So I still don't think it's reasonable to say that this is a MySpace only issue... because the impact is on the level of the client, and any other website that implemented the same code would have the same effect.
It's not a MySpace-only issue in the sense that any site that displays user-uploaded content must check and filter out any malicious scripting attempts. Any community site where registered users may upload content to their own pages must face this same issue, but it's still the site's responsibility.
It can't possibly be a browser issue because the browser is still following the rules all along: any information it sends to MySpace also originated from MySpace. The browser cannot possibly be smart enough to know that this area of MySpace (some malicious user's page) isn't authorized to touch that area of MySpace (the viewer's profile settings). This is not (in my opinion) a true "cross-site" vulnerability which
is the responsibility of the browser because information never leaves myspace.com.
Consider this scenario: Apple adds a feature to .Mac where it can list your favorite new Apple products. You can add products to your favorites list manually, or whenever you view a particular product's page multiple times, it has a script which adds that product to your list in the background, automatically. So in essence, the product area of Apple's website is making scripted changes to the .Mac area.
Is this unauthorized? Is it a vulnerability? No. Apple designed it to work that way, and your browser is still only sending information to and from apple.com.
Now, if Apple allowed any third-party accessory manufacturer to write their own product pages and place them on Apple's site, we'd have the same type of vulnerability. Let's say Bose places a malicious script on their product pages,
on apple.com which removes all competitors' products from your .Mac favorites list. This is
exactly what's going on at MySpace. In the hypothetical Apple case, it is Apple's responsibility to make sure their accessory suppliers can't add these things to pages on apple.com. Just as MySpace has the responsibility to make sure that their users can't add malicious scripts to pages on myspace.com.
