Flash XSS security hole lets MySpace hackers run free.

Flash allows free execution of javascript. (details here) MySpace allows users to embed flash objects into their profile. While myspace does some checking on embedded flash, services like SpySpace and clones actively get around that. Spyspace uses javascript to determine the identity of the myspace user, then reports to the profile owner who is viewing their page. Spyspace uses and number of techniques to hide their motives. First, their swf is compressed, so parsing you can't see the functions. Secondly, they change the extension on it (using http headers to report that it's flash)

To me, this is a problem with flash, which should not be allowed to script. In the meantime, don't use myspace for anything private, because almost anyone you view can have access to your account.