Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: myspace hack
From: Andrew Chong (andrewjwsingnet.com.sg)
Date: Fri Oct 14 2005 - 10:07:36 CDT
My analysis are:
1. Sammy broadcast emails to ask myspace user to add him as his friend.
Most likely is a HTML email with the below embeded code in it. The
receiver will not need to click to open Sammy profile and the viral
script will automatically add Sammy as his hero.
If it is a plain text email, the receiver will have to click on a URL
link to view Sammy's profile.
The email either contains a hidden size 1x1 embeded iframe code that
will execute myspace.com add friend query strings.
xxxx&xxx" width="1" height="1">
onload to execute the action.
<img src="images/evil.gif" width="1" id="evil" height="1"
Andrew Chong, CISSP
From: Reynolds, Jake [mailto:Jake.Reynoldsfishnetsecurity.com]
Sent: Friday, October 14, 2005 10:30 PM
To: Chris Varenhorst; Akash
Subject: RE: myspace hack
I wouldn't consider this an XSS attack. Where in the attack did
information cross sites? This seems like it is an embedded XSS attack in
that a malicious script was entered into a profile in hopes that victims
would view and execute it. However, nothing was sent across sites via
the script. The vulnerability was a lack of output validation in my
opinion, which is the same vulnerability that an XSS attack would
exploit. I don't know how you would classify the attack... Probably
"self-replicating session riding". Yeah that has a nice FUD-factor to
Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
Senior Security Engineer -- Consulting Services
Toll Free: 888.732.9406
From: Chris Varenhorst [mailto:varencMIT.EDU]
Sent: Thursday, October 13, 2005 8:39 AM
Subject: Re: myspace hack
Oh wow I'm wrong, I'm apparently thinking of current myspace bots which
do as I described. It looks this was in fact made possible by an XSS
On Thu, 13 Oct 2005, Chris Varenhorst wrote:
> This isn't hacking at all. (at least not what I'd call it) This is
> writing a script to go through myspace IDs (which happen to be
> squential) issuing friend requests to every one of them. To prevent
> this, now myspace limits friend requests to a certain number per day.
> Hope that covers it!
> On Thu, 13 Oct 2005, Akash wrote:
> > Does anyone has more technical details about how 1 million accounts
> got hacked in about 24 hours.
> This is the supposed confession of the hacker
> I currently studying for CEH and just finished reading about XSS. So
> this is of special interest.