M.O.M.B.Y! (momby) wrote,
  • Mood: awake

MOMBY-00000001

Here's our first MOMBY advisory. Note, it's a pretty light one, seeing how today is Sunday, and we don't really expect the crack MySpace Security Squad to actually do a lot of code changes on Sunday. So, we went with one they probably don't care about, and isn't terribly dangerous on its own.

Hope you like it.



Advisory MOMBY-00000001: MySpace Official URL Spoofing
Press Embargo until April 1, 2007
Rankings:

Noobs: *****
LOLs: **
0wnz: *


Myspace allows registered users to create arbitrary pathnames under
the http://www.myspace.com/ domain. This can be used in the furtherance of a
confidence scheme.

Example: http://www.myspace.com/PasswordReset

Details: Upon creating a new account, users are presented with an option to pick a MySpace Name/URL, as shown on this screenshot (click).

Combined with the allowed CSS editing that allows users to essentially create custom layouts which may appear exactly as the targeted (or invented) MySpace service (such as a password resetting web application), and the "remember my password" functionality of some browsers which respect only domain names + form input names, this technique can help create a very convincing illusion of MySpace officialdom.

As an example, the personal profile for "Mondo Armando" is now registered as the above example URL, which can now be used to trick victims into setting a password to a value known by, well, me.

The downside (from the attacker's perspective) is that there are technically finite variations. However, a url such as "http://www.myspace.com/PasswordActivate" and "PASSW0RDRESET" may work just as well, so it'll be a while before all the "good" target URLs are taken.

Credit: Originally noticed by mybeNi websecurity at http://mybeni.rootzilla.de/mybeNi
Tags: phishing
  • Post a new comment

    Error

    default userpic
  • 34 comments