WebApp Sec mailing list archives

Re: myspace hack

From: Stephen de Vries <stephen () corsaire com>
Date: Thu, 13 Oct 2005 19:06:31 +0700

From his account of events it seems to be an excellent example of anXSS virus. A paper on this concept was announced on this list just afew hours ago: http://www.bindshell.net/papers/xssv.html

The difference in the myspace case was that the payload of the viruswas a Cross Site Request Forgery attack (also known as a sessionriding attack) that inserted his profile into the victims' favourites.



On 13 Oct 2005, at 18:28, Akash wrote:

Does anyone has more technical details about how 1 million accounts
got hacked in about 24 hours.

This is the supposed confession of the hacker
http://fast.info/myspace/

I currently studying for CEH and just finished reading about XSS. So
this is of special interest.

regards

akash

Current thread:

myspace hack Akash (Oct 13)
- Re: myspace hack Stephen de Vries (Oct 13)
- Re: myspace hack Chris Varenhorst (Oct 13)
  - Re: myspace hack Chris Varenhorst (Oct 13)
- <Possible follow-ups>
- RE: myspace hack Griffiths, Ian (Oct 13)
  - Re: myspace hack rSYN (Oct 13)
- RE: myspace hack Reynolds, Jake (Oct 14)
  - Re: myspace hack Stephen de Vries (Oct 14)
  - RE: myspace hack Radoslav Vasilev (Oct 14)
  - RE: myspace hack Andrew Chong (Oct 14)
    - Re: myspace hack Stephen de Vries (Oct 14)
  - Re: myspace hack Tim Brown (Oct 14)

(Thread continues...)