My analysis are:
1. Sammy broadcast emails to ask myspace user to add him as his friend.
Most likely is a HTML email with the below embeded code in it. The
receiver will not need to click to open Sammy profile and the viral
script will automatically add Sammy as his hero.
If it is a plain text email, the receiver will have to click on a URL
link to view Sammy's profile.
Assumption 1:
The email either contains a hidden size 1x1 embeded iframe code that
will execute myspace.com add friend query strings.
<iframe
src="http://www.myspace.com/index.cfm?fuseaction=mail.addfriend&xxxxxxx&;
xxxx&xxx" width="1" height="1">
Assumption 2:
The email either contains a hidden size 1x1 image using the javascript
onload to execute the action.
<img src="images/evil.gif" width="1" id="evil" height="1"
onload="document.getElementById('evil').src='http://www.myspace.com/inde
x.cfm?fuseaction=mail.addfriend">
Regards,
Andrew Chong, CISSP
http://www.sweetfantasy.biz/forum/
-----Original Message-----
From: Reynolds, Jake [mailto:Jake.Reynolds@fishnetsecurity.com]
Sent: Friday, October 14, 2005 10:30 PM
To: Chris Varenhorst; Akash
Cc: webappsec@securityfocus.com
Subject: RE: myspace hack
I wouldn't consider this an XSS attack. Where in the attack did
information cross sites? This seems like it is an embedded XSS attack in
that a malicious script was entered into a profile in hopes that victims
would view and execute it. However, nothing was sent across sites via
the script. The vulnerability was a lack of output validation in my
opinion, which is the same vulnerability that an XSS attack would
exploit. I don't know how you would classify the attack... Probably
"self-replicating session riding". Yeah that has a nice FUD-factor to
it.
Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
Senior Security Engineer -- Consulting Services
FishNet Security
Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677
http://www.fishnetsecurity.com
-----Original Message-----
From: Chris Varenhorst [mailto:varenc@MIT.EDU]
Sent: Thursday, October 13, 2005 8:39 AM
To: Akash
Cc: webappsec@securityfocus.com
Subject: Re: myspace hack
Oh wow I'm wrong, I'm apparently thinking of current myspace bots which
do as I described. It looks this was in fact made possible by an XSS
vulnerability. Sorry
On Thu, 13 Oct 2005, Chris Varenhorst wrote:
This isn't hacking at all. (at least not what I'd call it) This is
writing a script to go through myspace IDs (which happen to be
squential) issuing friend requests to every one of them. To prevent
this, now myspace limits friend requests to a certain number per day.
Hope that covers it!
-Chris
On Thu, 13 Oct 2005, Akash wrote:
Does anyone has more technical details about how 1 million accounts
got hacked in about 24 hours.
This is the supposed confession of the hacker
http://fast.info/myspace/
I currently studying for CEH and just finished reading about XSS. So
this is of special interest.
regards
akash
