Month-of-bugs project targets MySpace

Security companies have already found vulnerabilities in MySpace

Social networking site MySpace has become the latest company targeted by a 'month of bugs' project. 

The project, run by security researchers using the aliases 'Mondo Armando' and 'Müstachio', is officially known as Month of MySpace Bugs, Yuss!, or Momby for short. 

Previous 'month of bugs' projects have targeted everything from Mac OS X to PHP. 

As the name suggests, the projects aim to disclose a new vulnerability every day for a month. This latest effort, however, takes as many swipes at other month of bugs projects as the target itself.

"Months of Bugs are annoying, so rather than suffering through another, we figured it'd be better to just create our own where we could at least direct the content a little," said 'Mondo Armando' in the 'official announcement' of the project.

The pair decided on targeting MySpace for a variety or reasons, including its substantial user base.

"Months of Bugs are whiny, attention-seeking ploys for acceptance. MySpace's design use is to enable whiny, attention-seeking ploys for acceptance," said the researchers.

The project will take place during April and will be run from a special LiveJournal blog, or at an alternative site should the account be revoked by LiveJournal owner Six Apart.

"Most of what we intend to publish are silly XSS/misleading CSS style bugs that MySpace users may actually be able to use for a little while, and that involve only MySpace.com stuff," wrote Armando.

The pair are also asking fellow researchers to contribute their own bugs to Momby, requesting details and working proof-of-concept samples.

'Mondo Armando' and 'Müstachio' may not need to search too hard for content in the first few days. F-Secure and Sunbelt Software alerted users on Monday to a pair of security hazards currently doing the rounds on MySpace. 

One bug, according to F-Secure, uses a QuickTime vulnerability to steal user information. The other uses fake MySpace profile pages to trick users into downloading adware programs disguised as video plug-ins, according to Sunbelt.