Re: myspace hack

[rSYN <rsyn () cyborg9 net>]

The author of the code has written a detailed technical explanation
available here:

http://namb.la/popular/

link to technical explanation near top. The code exploited myspace in
that it allowed javascript in css portion of homepage editor. if you
viewed an infected persons profile, it made the author your hero. then
it inserted the code into your profile so the next person who viewd your
profile would get infected.

google "samy is my hero"

On Thu, Oct 13, 2005 at 03:01:45PM +0100, Griffiths, Ian wrote:
> This is not what I gathered from the written account, he's penned it as
> some sort of multi-layered, nested approach to having friends.  I'll be
> far less impressed if it transpires that its just a regular loop in any
> old scripting language with a wget in the middle....
>
> -----Original Message-----
> From: Chris Varenhorst [mailto:varenc () MIT EDU] 
> Sent: 13 October 2005 14:31
> To: Akash
> Cc: webappsec () securityfocus com
> Subject: Re: myspace hack
>
>
> This isn't hacking at all. (at least not what I'd call it)
> This is writing a script to go through myspace IDs (which happen to be
> squential) issuing friend requests to every one of them.  To prevent
> this, now myspace limits friend requests to a certain number per day.
> Hope that covers it!
>
> -Chris
>
> On Thu, 13 Oct 2005, Akash wrote:
>
> > Does anyone has more technical details about how 1 million accounts
> got hacked in about 24 hours.
>
> This is the supposed confession of the hacker http://fast.info/myspace/
>
> I currently studying for CEH and just finished reading about XSS. So
> this is of special interest.
>
> regards
>
> akash