RE: myspace hack

["Reynolds, Jake" <Jake.Reynolds () fishnetsecurity com>]

I wouldn't consider this an XSS attack. Where in the attack did information cross sites? This seems
like it is an embedded XSS attack in that a malicious script was entered into a profile in hopes that
victims would view and execute it. However, nothing was sent across sites via the script. The
vulnerability was a lack of output validation in my opinion, which is the same vulnerability that an
XSS attack would exploit. I don't know how you would classify the attack... Probably "self-replicating
session riding". Yeah that has a nice FUD-factor to it.


Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
Senior Security Engineer -- Consulting Services
FishNet Security

Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677

http://www.fishnetsecurity.com

-----Original Message-----
From: Chris Varenhorst [mailto:varenc () MIT EDU] 
Sent: Thursday, October 13, 2005 8:39 AM
To: Akash
Cc: webappsec () securityfocus com
Subject: Re: myspace hack

Oh wow I'm wrong, I'm apparently thinking of current myspace bots which do
as I described.  It looks this was in fact made possible by an XSS
vulnerability.
Sorry

On Thu, 13 Oct 2005, Chris Varenhorst wrote:

> This isn't hacking at all. (at least not what I'd call it)
> This is writing a script to go through myspace IDs (which happen to be
> squential) issuing friend requests to every one of them.  To prevent
> this, now myspace limits friend requests to a certain number per day.
> Hope that covers it!
>
> -Chris
>
> On Thu, 13 Oct 2005, Akash wrote:
>
> > Does anyone has more technical details about how 1 million accounts
> got hacked in about 24 hours.
>
> This is the supposed confession of the hacker
> http://fast.info/myspace/
>
> I currently studying for CEH and just finished reading about XSS. So
> this is of special interest.
>
> regards
>
> akash