WebApp Sec mailing list archives
RE: myspace hack
From: "Reynolds, Jake" <Jake.Reynolds () fishnetsecurity com>
Date: Fri, 14 Oct 2005 09:29:31 -0500
I wouldn't consider this an XSS attack. Where in the attack did information cross sites? This seems like it is an embedded XSS attack in that a malicious script was entered into a profile in hopes that victims would view and execute it. However, nothing was sent across sites via the script. The vulnerability was a lack of output validation in my opinion, which is the same vulnerability that an XSS attack would exploit. I don't know how you would classify the attack... Probably "self-replicating session riding". Yeah that has a nice FUD-factor to it. Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA Senior Security Engineer -- Consulting Services FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com -----Original Message----- From: Chris Varenhorst [mailto:varenc () MIT EDU] Sent: Thursday, October 13, 2005 8:39 AM To: Akash Cc: webappsec () securityfocus com Subject: Re: myspace hack Oh wow I'm wrong, I'm apparently thinking of current myspace bots which do as I described. It looks this was in fact made possible by an XSS vulnerability. Sorry On Thu, 13 Oct 2005, Chris Varenhorst wrote:
This isn't hacking at all. (at least not what I'd call it) This is writing a script to go through myspace IDs (which happen to be squential) issuing friend requests to every one of them. To prevent this, now myspace limits friend requests to a certain number per day. Hope that covers it! -Chris On Thu, 13 Oct 2005, Akash wrote:Does anyone has more technical details about how 1 million accountsgot hacked in about 24 hours. This is the supposed confession of the hacker http://fast.info/myspace/ I currently studying for CEH and just finished reading about XSS. So this is of special interest. regards akash
Current thread:
- myspace hack Akash (Oct 13)
- Re: myspace hack Stephen de Vries (Oct 13)
- Re: myspace hack Chris Varenhorst (Oct 13)
- Re: myspace hack Chris Varenhorst (Oct 13)
- <Possible follow-ups>
- RE: myspace hack Griffiths, Ian (Oct 13)
- Re: myspace hack rSYN (Oct 13)
- RE: myspace hack Reynolds, Jake (Oct 14)
- Re: myspace hack Stephen de Vries (Oct 14)
- RE: myspace hack Radoslav Vasilev (Oct 14)
- RE: myspace hack Andrew Chong (Oct 14)
- Re: myspace hack Stephen de Vries (Oct 14)
- Re: myspace hack Tim Brown (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack Tom Gallagher (Oct 14)
- Re: myspace hack Disco Jonny (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- RE: myspace hack Richard M. Smith (Oct 14)