Re: myspace hack

[Stephen de Vries <stephen () corsaire com>]

The attacker's own account of the attack can be found here: http:// 
namb.la/popular/
Together with a more technical explanation here: http://namb.la/ 
popular/tech

Stephen

On 14 Oct 2005, at 22:07, Andrew Chong wrote:

> My analysis are:
> 1. Sammy broadcast emails to ask myspace user to add him as his  
> friend.
>
> Most likely is a HTML email with the below embeded code in it. The
> receiver will not need to click to open Sammy profile and the viral
> script will automatically add Sammy as his hero.
>
> If it is a plain text email, the receiver will have to click on a URL
> link to view Sammy's profile.
>
> Assumption 1:
> The email either contains a hidden size 1x1 embeded iframe code that
> will execute myspace.com add friend query strings.
> <iframe
> src="http://www.myspace.com/index.cfm? 
> fuseaction=mail.addfriend&xxxxxxx&
> xxxx&xxx" width="1" height="1">
>
> Assumption 2:
> The email either contains a hidden size 1x1 image using the javascript
> onload to execute the action.
> <img src="images/evil.gif" width="1" id="evil" height="1"
> onload="document.getElementById('evil').src='http://www.myspace.com/ 
> inde
> x.cfm?fuseaction=mail.addfriend">
>
> Regards,
> Andrew Chong, CISSP
> http://www.sweetfantasy.biz/forum/
>
>
> -----Original Message-----
> From: Reynolds, Jake [mailto:Jake.Reynolds () fishnetsecurity com]
> Sent: Friday, October 14, 2005 10:30 PM
> To: Chris Varenhorst; Akash
> Cc: webappsec () securityfocus com
> Subject: RE: myspace hack
>
>
> I wouldn't consider this an XSS attack. Where in the attack did
> information cross sites? This seems like it is an embedded XSS  
> attack in
> that a malicious script was entered into a profile in hopes that  
> victims
> would view and execute it. However, nothing was sent across sites via
> the script. The vulnerability was a lack of output validation in my
> opinion, which is the same vulnerability that an XSS attack would
> exploit. I don't know how you would classify the attack... Probably
> "self-replicating session riding". Yeah that has a nice FUD-factor to
> it.
>
>
> Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
> Senior Security Engineer -- Consulting Services
> FishNet Security
>
> Phone: 816.421.6611
> Toll Free: 888.732.9406
> Fax: 816.421.6677
>
> http://www.fishnetsecurity.com
>
> -----Original Message-----
> From: Chris Varenhorst [mailto:varenc () MIT EDU]
> Sent: Thursday, October 13, 2005 8:39 AM
> To: Akash
> Cc: webappsec () securityfocus com
> Subject: Re: myspace hack
>
> Oh wow I'm wrong, I'm apparently thinking of current myspace bots  
> which
> do as I described.  It looks this was in fact made possible by an XSS
> vulnerability. Sorry
>
> On Thu, 13 Oct 2005, Chris Varenhorst wrote:
>
>
> > This isn't hacking at all. (at least not what I'd call it) This is
> > writing a script to go through myspace IDs (which happen to be
> > squential) issuing friend requests to every one of them.  To prevent
> > this, now myspace limits friend requests to a certain number per day.
> > Hope that covers it!
> >
> > -Chris
> >
> > On Thu, 13 Oct 2005, Akash wrote:
> >
> >
> > > Does anyone has more technical details about how 1 million accounts
> > got hacked in about 24 hours.
> >
> > This is the supposed confession of the hacker
> > http://fast.info/myspace/
> >
> > I currently studying for CEH and just finished reading about XSS. So
> > this is of special interest.
> >
> > regards
> >
> > akash