Hope you like it.
Advisory MOMBY-00000001: MySpace Official URL Spoofing
Press Embargo until April 1, 2007
Myspace allows registered users to create arbitrary pathnames under
the http://www.myspace.com/ domain. This can be used in the furtherance of a
Details: Upon creating a new account, users are presented with an option to pick a MySpace Name/URL, as shown on this screenshot (click).
Combined with the allowed CSS editing that allows users to essentially create custom layouts which may appear exactly as the targeted (or invented) MySpace service (such as a password resetting web application), and the "remember my password" functionality of some browsers which respect only domain names + form input names, this technique can help create a very convincing illusion of MySpace officialdom.
As an example, the personal profile for "Mondo Armando" is now registered as the above example URL, which can now be used to trick victims into setting a password to a value known by, well, me.
The downside (from the attacker's perspective) is that there are technically finite variations. However, a url such as "http://www.myspace.com/PasswordActivate" and "PASSW0RDRESET" may work just as well, so it'll be a while before all the "good" target URLs are taken.
Credit: Originally noticed by mybeNi websecurity at http://mybeni.rootzilla.de/mybeNi