M.O.M.B.Y! ([info]momby) wrote,
@ 2007-04-01 08:00:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Current mood: awake
Entry tags:phishing

MOMBY-00000001
Here's our first MOMBY advisory. Note, it's a pretty light one, seeing how today is Sunday, and we don't really expect the crack MySpace Security Squad to actually do a lot of code changes on Sunday. So, we went with one they probably don't care about, and isn't terribly dangerous on its own.

Hope you like it.


Advisory MOMBY-00000001: MySpace Official URL Spoofing
Press Embargo until April 1, 2007
Rankings:

Noobs: *****
LOLs: **
0wnz: *

Myspace allows registered users to create arbitrary pathnames under
the http://www.myspace.com/ domain. This can be used in the furtherance of a
confidence scheme.

Example: http://www.myspace.com/PasswordReset

Details: Upon creating a new account, users are presented with an option to pick a MySpace Name/URL, as shown on this screenshot (click).

Combined with the allowed CSS editing that allows users to essentially create custom layouts which may appear exactly as the targeted (or invented) MySpace service (such as a password resetting web application), and the "remember my password" functionality of some browsers which respect only domain names + form input names, this technique can help create a very convincing illusion of MySpace officialdom.

As an example, the personal profile for "Mondo Armando" is now registered as the above example URL, which can now be used to trick victims into setting a password to a value known by, well, me.

The downside (from the attacker's perspective) is that there are technically finite variations. However, a url such as "http://www.myspace.com/PasswordActivate" and "PASSW0RDRESET" may work just as well, so it'll be a while before all the "good" target URLs are taken.

Credit: Originally noticed by mybeNi websecurity at http://mybeni.rootzilla.de/mybeNi

(Post a new comment)

Spoofage
(Anonymous)
2007-04-01 02:03 pm UTC (link)
The browser password recall tie-in with this bug would explain a lot of the success with recent spam-and-grab password harvesting runs. Good find, guys.

(Reply to this) (Thread)
Re: Spoofage
(Anonymous)
2007-04-01 04:30 pm UTC (link)
Actually, many of the phishing scams involve giving a service (i.e. MySpace tracker) to the user in exchange for their log-in imformation. It's even in the disclaimer, that they plan on using your account to get the word out for their product.

(Reply to this) (Parent)

(Anonymous)
2007-04-01 02:42 pm UTC (link)
You idiots are gonna love the federal lockup

(Reply to this) (Thread)
This sucks
(Anonymous)
2007-04-01 03:07 pm UTC (link)
Its april fucking fools day and this is the best you can do? Fuckk

(Reply to this) (Parent)(Thread)
Re: This sucks
[info]7wrc
2007-05-02 09:36 pm UTC (link)
:-))

(Reply to this) (Parent)
Obligatory
(Anonymous)
2007-04-01 03:20 pm UTC (link)
It's not a bug; it's a feature!

(Reply to this)

oh jesus
(Anonymous)
2007-04-01 03:21 pm UTC (link)
You had everyone wait for some Ub3r myspace bugs and you post this crap? come on.. this would be relevant on any other site similar to myspace as well.. so Wow some l33t ass Sk1llz D00d

(Reply to this) (Thread)
Re: oh jesus
(Anonymous)
2007-04-01 04:21 pm UTC (link)
Feel free to post your own. The momby faq encourages readers to cut out the middleman and post their own xss leetness.

Me, I think its funny open with a nonbug advisory on april fools day. But I'm easily entertained.

(Reply to this) (Parent)
This is not a bug.
(Anonymous)
2007-04-01 04:04 pm UTC (link)
This is not a bug. This is not a hole. This is not an exploit. It's better to say you'll release one in a month's and do it then say you'll release one a day and only release one in a month. Thinks could turn up but this post is terrible.

(Reply to this)

Haha
(Anonymous)
2007-04-01 04:09 pm UTC (link)
This is well funny. Have you got something to change toms picture, he needs to change it

(Reply to this)

Complainers need to STFU
(Anonymous)
2007-04-01 04:31 pm UTC (link)
STFU and let these guys do their shit you whiners in the comments.

(Reply to this)

Fake Phisher already in use.
[info]downflipper
2007-04-01 04:43 pm UTC (link)
Someone already made a fake profile myspace.com/phishing and is using it to phish other peoples accounts with. If you see a message from it, flag it as spam, spread the word of its danger. ;>

(Reply to this) (Thread)
Re: Fake Phisher already in use.
(Anonymous)
2007-04-01 07:50 pm UTC (link)
http://myspace.com/antiphishing the myspace.com antiphishing departement.
And guys, calm down, there will be a lot of other bugs imo ;-)

(Reply to this) (Parent)
Other sites like... this one?
(Anonymous)
2007-04-01 05:48 pm UTC (link)
Doesn't this also apply to LiveJournal?

(Reply to this)

This sucks.
(Anonymous)
2007-04-01 07:46 pm UTC (link)
Just adding to the general, this sucks, vibe.
Because they're the most constructive comments.

(Reply to this)


(Anonymous)
2007-04-01 07:59 pm UTC (link)
I'm disappointed.

Please, if you have any other "bugs" like this one, don't post them. Not only would it take incredible Social Engineering to get anyone worth having their myspace do it, but you would need to find someone incredibly stupid. Not to mention all that myspace would have to do to put a stop to this is have Tom post one of those annoying messages saying, "There are no password recovery profiles. It is a phishing scam meant to steal your password." Wha-lah...Problem solved. >.<

I suggest this if you are looking for a good phishing scam: Copy the source code of the myspace login page, create a script that e-mails the contents of the E-mail and Password fields to you, and then use clever SE to get someone to click on a link to it.

(Reply to this)

I have confirmed this WORKING!
(Anonymous)
2007-04-01 08:23 pm UTC (link)
It really works!

lawlerz. sweet post for april 1st. i put it in the forum =p

i have faith that you have some good ones. =]

-Shades (http://www.mrshades.org/momby/)

(Reply to this) (Thread)
Re: I have confirmed this WORKING!
(Anonymous)
2007-04-01 11:58 pm UTC (link)
you've confirmed a feature which is called on this site a "Bug" working? haha.. Yeah.. Guess what its amazing I exploited my toilet after I took a crap today, and low and behold it FLUSHED!

I mean maybe I am old and cranky but I've been in this game for along time and so far you guys are not proving yourselves nor this site as any resource or showing the "Myspace lack of security" which you where touting

(Reply to this) (Parent)(Thread)
Congratulations!
(Anonymous)
2007-04-02 01:30 am UTC (link)
You're an idiot.


Can you not grasp the simple fucking concept that this is a fucking joke? Do you not get that this is fucking April Fools? Do you not fucking get that they fucking posted that on purpose?

You fucking retard.

-Shades

(Reply to this) (Parent)(Thread)
Re: Congratulations!
(Anonymous)
2007-04-02 01:49 am UTC (link)
or maybe it wasn't and the joke's on those that thought it was XD

-AceldamA

(Reply to this) (Parent)
Awesome
(Anonymous)
2007-04-02 02:22 am UTC (link)
I'm no coder, but this is still going to be great fun to watch.

xox

(Reply to this)

WTF?!
(Anonymous)
2007-04-02 03:18 am UTC (link)
How is this different than any other site on the Internet? You dopes! You just wanted the attention, dumbasses. So, do you have any bugs at all or will they all be bullshit like this?

(Reply to this)

RETARDED!
(Anonymous)
2007-04-02 03:21 am UTC (link)
April fools day or not, this was a weak and pathetic way to start off this "MOMBY" shit. Your so-called bugs are RETARDED! Grow the fuck up! And whats with the lame ass handles? Mondo Armando? Mustachio? You sound like two retarded Mexicans. Trust me, America doesn't need any more reason to hate Mexicans. You retards need to get a gun and remove yourself from life! Don't EVER reproduce! Please! What the hell kind of hacker would waste their time with myspace? GET A FUCKING LIFE! n00bZ!

(Reply to this) (Thread)
great
(Anonymous)
2007-04-02 04:06 am UTC (link)
i think the is going to be great

(Reply to this) (Parent)
Not that you can do anything with it
(Anonymous)
2007-04-02 05:31 am UTC (link)
Try putting a password field in a form on your profile and see what happens. Or create a form which posts to another site.

(Reply to this) (Thread)
Re: Not that you can do anything with it
(Anonymous)
2007-04-02 10:38 am UTC (link)
Forms that point outside myspace have a big javascript induced warning box now, because they foresaw this revelation...

(Reply to this) (Parent)(Thread)
Re: Not that you can do anything with it
[info]momby
2007-04-02 01:35 pm UTC (link)
Really? Used to work like a champ. Haven't checked lately. Thanks for the tip, we'll see if there's any way around this sanitization.

(Reply to this) (Parent)
You guys have no sense of humor
(Anonymous)
2007-04-02 07:27 am UTC (link)
and you all deserve to die whom say 'U R TEH GAYZ 4 N0TZ POSTING TEH BUGZ0RZ!!'

you fucks cant do XSS yourself so you waited for this day and you were let down on the first bug cause you wanted to h4x0r your best friends (or exgirlfriends) myspace and say 'I H4X0R J00 I AM TEH L33TZ' and when you found out it was a joke you got pissy.

get over it kids, and GROW UP.


-Shades

(Reply to this) (Thread)
Re: You guys have no sense of humor
(Anonymous)
2007-04-02 08:55 am UTC (link)
I figured the entire thing was just a ploy for attention. And this post isn't helping the case. As I said before, what the hell kind of hacker would waste their time on myspace? I don't care about XSS. XSS is script kiddie business. Which is just what these guys are. So here, I will say it,

U R TEH GHEYZ 4 B31NG 5UCH N00BZ!!

(Reply to this) (Parent)(Thread)
Re: You guys have no sense of humor
(Anonymous)
2007-04-02 10:30 am UTC (link)
lawlz n shit

you should know about script kiddy business, since you're one yourself. it's not about how you do it, it's about finding vulnerabilities.

you wouldn't know a thing about that though, you dont wear a hat from what i can see. these guys are white hats, the only hats that keep the net safe of vulns.

you are lame, sir.

-Shades

(Reply to this) (Parent)
Re: You guys have no sense of humor
(Anonymous)
2007-04-02 12:11 pm UTC (link)
u fucking moron, i didnt come here to get exploits so that i could use them

i came here to see how shitty myspace was and laugh

ur a fuckin idiot if you think everyone who is criticising this blog is pissed because they wanted to get some free sploits.. you are beyond stupid and you deserve to be hung for being so naive

(Reply to this) (Parent)(Thread)
Re: You guys have no sense of humor
(Anonymous)
2007-04-02 05:17 pm UTC (link)
naive?

you sir, are the naive one.

get it through your thick fucking skull you god damn retards.

-Shades

(Reply to this) (Parent)

[info]masmedia
2007-04-02 11:26 am UTC (link)
words so I'll just say nice find.

(Reply to this)

point?
(Anonymous)
2007-04-03 01:34 am UTC (link)
So whats the point of this hole?

haha I'm sorry, idk much about what your saying maybe at the end of the blog say something about the hack IE

"basically, this hole allows users to phish peoples accounts, views comments etc."

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…