RE: myspace hack

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Or you could read Sammy's technical analysis which explicitly
lists the javascript he embedded in the profile, as opposed
to random speculation.

-ae

> -----Original Message-----
> From: Andrew Chong [mailto:andrewjw () singnet com sg] 
> Sent: Friday, October 14, 2005 10:08 AM
> To: webappsec () securityfocus com
> Cc: cisspforum () yahoogroups com
> Subject: RE: myspace hack
>
>
>
> My analysis are:
> 1. Sammy broadcast emails to ask myspace user to add him as 
> his friend. 
>
> Most likely is a HTML email with the below embeded code in it. The
> receiver will not need to click to open Sammy profile and the viral
> script will automatically add Sammy as his hero.
>
> If it is a plain text email, the receiver will have to click on a URL
> link to view Sammy's profile.
>
> Assumption 1:
> The email either contains a hidden size 1x1 embeded iframe code that
> will execute myspace.com add friend query strings.
> <iframe
> src="http://www.myspace.com/index.cfm?fuseaction=mail.addfrien
> d&xxxxxxx&
> xxxx&xxx" width="1" height="1">
>
> Assumption 2:
> The email either contains a hidden size 1x1 image using the javascript
> onload to execute the action.
> <img src="images/evil.gif" width="1" id="evil" height="1"
> onload="document.getElementById('evil').src='http://www.myspac
> e.com/inde
> x.cfm?fuseaction=mail.addfriend"> 
>
> Regards,
> Andrew Chong, CISSP
> http://www.sweetfantasy.biz/forum/
>
>
> -----Original Message-----
> From: Reynolds, Jake [mailto:Jake.Reynolds () fishnetsecurity com] 
> Sent: Friday, October 14, 2005 10:30 PM
> To: Chris Varenhorst; Akash
> Cc: webappsec () securityfocus com
> Subject: RE: myspace hack
>
>
> I wouldn't consider this an XSS attack. Where in the attack did
> information cross sites? This seems like it is an embedded 
> XSS attack in
> that a malicious script was entered into a profile in hopes 
> that victims
> would view and execute it. However, nothing was sent across sites via
> the script. The vulnerability was a lack of output validation in my
> opinion, which is the same vulnerability that an XSS attack would
> exploit. I don't know how you would classify the attack... Probably
> "self-replicating session riding". Yeah that has a nice FUD-factor to
> it.
>
>
> Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
> Senior Security Engineer -- Consulting Services
> FishNet Security
>
> Phone: 816.421.6611
> Toll Free: 888.732.9406
> Fax: 816.421.6677
>
> http://www.fishnetsecurity.com
>
> -----Original Message-----
> From: Chris Varenhorst [mailto:varenc () MIT EDU] 
> Sent: Thursday, October 13, 2005 8:39 AM
> To: Akash
> Cc: webappsec () securityfocus com
> Subject: Re: myspace hack
>
> Oh wow I'm wrong, I'm apparently thinking of current myspace 
> bots which
> do as I described.  It looks this was in fact made possible by an XSS
> vulnerability. Sorry
>
> On Thu, 13 Oct 2005, Chris Varenhorst wrote:
>
> > This isn't hacking at all. (at least not what I'd call it) This is 
> > writing a script to go through myspace IDs (which happen to be
> > squential) issuing friend requests to every one of them.  
> To prevent 
> > this, now myspace limits friend requests to a certain 
> number per day. 
> > Hope that covers it!
> >
> > -Chris
> >
> > On Thu, 13 Oct 2005, Akash wrote:
> >
> > > Does anyone has more technical details about how 1 
> million accounts
> > got hacked in about 24 hours.
> >
> > This is the supposed confession of the hacker 
> > http://fast.info/myspace/
> >
> > I currently studying for CEH and just finished reading 
> about XSS. So 
> > this is of special interest.
> >
> > regards
> >
> > akash