Cenzic 232 Patent
Paid Advertising
web application security lab

XSS in Quicktime

pdp has an interesting article about how to embed JavaScript into quicktime movies. Pretty cool stuff actually. I’ve actually seen this before (in the wild) in other video formats where upon execution it attempts to connect to the web in some form or another generally creating popups, etc. This is an interesting problem though, because it’s pretty difficult to detect. It’s not just a matter of scanning a network shim and looking for JavaScript, you now have to scan everything.

That’s actually partially what this thread on sla.ckers.org is about. As more forms of media become web enabled, this problem will mutate. It will be interesting to see the future of these attacks as they grow, because they will grow as quickly as the technology evolves. More and more people want to have web enabled software, and this only paves the way for more forms of attack.

3 Responses to “XSS in Quicktime”

  1. maluc Says:

    smells like the next myspace worm.. assuming you can find a place to host even a 10kb file being accessed by 10s of millions of people..

  2. jungsonn Says:

    excellent find, and you are right i’ve seen this once also a few years ago, but to my attention it was with an asx of wmv file which could open webpages, never knew how it was done though.

  3. Matt Says:

    If anyone can find some way of getting a rather malicious vid hosted on the Apple website as an official movie trailer, or just hosted on an official page, than the damage which could be achieved would be pretty remarkable.