M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

  • Mood:

Advisory MOMBY-00000101: Myspace Pics Authentication Bypass

Advisory MOMBY-00000101: Myspace Pics Authentication Bypass
Press Embargo until April 5, 2007

Rankings:

Noobs: ****
 LOLs: ****
 0wnz: * 1/2

Each Myspace profile has a "Pics" section where users may upload pictures, typically of themselves and their outrageous hair-dos. Clicking on the "Pics" URL of a member profile will take the user to the URL http://viewmorepics.myspace.com/index.cfm?fuseaction=user.viewPicture&friendID=XXXX, where "XXXX" is the FriendID of the user. At this point, viewmorepics.myspace.com checks to see if a valid MYUSERINFO cookie is set; if not, the user is redirected (via a 302 Object Moved response) to the login page.

This redirect, of course, sucks for people who don't want to give up their e-mail address in order to view some lousy snapshots of their ex-girlfriend and her new boyfriend.

So, instead, MOMBY suggests an alternate URL for the "Pics" list: http://myspace.com/services/media/photosXML.ashx?friendid=XXXX. This displays the underlying XML of the user's "Pics" set, as shown in the screenshot below. From there, it's trivial to view all the pictures, all without logging in and getting snagged by some "Myspace Tracker," which is apparently what the kids are now calling "information disclosure XSS exploits."

Screenshot: http://pics.livejournal.com/momby/pic/00007a5r

Note, the correct FriendID can be determined by simply hovering over the "Pics" link and noting the target displayed in the browser status bar.

Credit: AwEsOmE AnDrEw, who was thoughtful enough to package this up in an easy to use format, the Lame Myspace Picture Raper, here: http://www.awesomeandrew.net/downloads/lmpraper.zip. This is a VBScript application, which means that "Internet Explorer" has to be in your personal set of "easy to use" things.

Why This Lame Bug: We thought we posted a bug for today, but then remembered; that wasn't bug-posting, that was beer and whiskey shooters since 3pm! Dammit! And that would explain why every lamp in the apartment is broken, and that explains why I'm typing this in the dark while Mustachio is passed out, fairly precariously, on the balcony!

So, we kinda needed an easy one. Plus, you people don't appear to actually appreciate the good bugs. You "oo" and "ah" over them, but where's the press? "Month of MySpace bugs starts with a dud" is the last we've heard. No follow-up headline of "MOMBY Kicks Ass With Insightful XSS Explanations" to be seen? Fine, fuckers. Have it your way. We have plenty of "duds" left, if that's what you want.

And we've been drinking. Just as soon as we sober up, we're going to find that Jeremy Kirk guy and tell him what-for.

Tags: auth-bypass, drunken rage
  • Post a new comment

    Error

    default userpic
  • 38 comments
myspace must have figured out this bug real fast because it won't work with private profiles.
This is an old bug, so it's been fixed for awhile.

They posted it because apparently people are missing the point of this MOB, so, they gave us a lame one to punish us.

chesterscidmor

8 years ago

hannahowyve

8 years ago

Anonymous

April 6 2007, 04:26:16 UTC 9 years ago

that's awesome =]

if only you had something for private profiles, I would love this site!!!11!!
mondo i appreciate what you're doing. your explanations are indeed insightful and you expose some very weak parts of myspace. Alot of people wouldnt be able to find those XSS sploits (pointed to the ones who say your bugs suck). So maybe you guys aren't getting the press you expected, but that's not really the point of MOMBY, is it?

Whether you post your good bugs or the useless ones, I'll still support MOMBY 100%.

Keep em comin. It's only been a few days, you still have a chance to get on Wired, Techdirt, Slashdot, and Digg. Don't expect good press with angry posts and (i quote) 'duds' (although I think every bug is a good bud).

Also, I see you aren't posting to Full-Disclosure. If you need someone to post for you I would be glad to.

=]

-Shades (http://www.mrshades.org/momby/)
Who is the blond girl in the picture smoking?
It looks like Tila Tequila sort of...

dorottyaxewim

8 years ago

alonzostailey

8 years ago

juliaclevinger

8 years ago

Give us somethin' with some BALLS! Lets see those PRIVATE PROFILES. You KNOW damn well that's the one everyone wants and needs...dish it up :-)
you do know that as soon as they disclose something as huge as viewing private profiles, myspace will get off of their asses and fix it? they aren't fixing these because they aren't important enough. however something that has a big impact, you will see them patch it faster than ever before.

alidanehac

8 years ago

It's pretty awesome to see that my script made it on here without even submitting it. I'm still looking forward to the vulnerability I sent you guys. As pointed out in an above post most of the people viewing this would have no idea how to find any effective reflected or persistent cross-site scripting vulnerabilities on their own, and are simply complaining because they're either expecting to see the most fruitful vulnerabilities freely disclosed immediately, or are angry and obsessive MySpace followers who have yet to become jaded by the growing number of shitty unfunctional and attentionwhore-friendly sites. Many of them haven't been around the interwebs long enough to have seen the faggotry of their nature, and how MySpace is nothing more than the most current glorified blogging site available, and that the next site to appear will have just as many useless features with an additional "trend factor" until it too dies a slow death.

-Awesome AnDrEw
http://www.awesomeandrew.net
I completely agree with awesome andrew.


awesome! =p

-Shades

Why

Anonymous

April 6 2007, 12:45:28 UTC 9 years ago

Why would you get press for stuff that has already been circulated 150x over? If people want to find these all they have to do is Google it.

People suck

Anonymous

April 6 2007, 18:31:54 UTC 9 years ago

Some of these comments are ridiculous. Is this actually happening? Are people actually complaining that you're releasing free exploit information, which required countless hours to find, but not contributing anything themselves? Don't worry. I'm sure there is a huge group of lurking fans. Just think about how many views a YouTube video gets without comments.
What has the press got to cover? XSS isn't interesting to report on really, yeah it's pretty interesting to work out and create yourself, but you can't have a month of XSS vunerabilities and keep people's attention. And the advisories for social working scams, they shalln't be mentioned.

You shouldn't of realy done this on myspace, the people who want to h4x0r haven't got something they can click and steal a password, and the bugs aren't impressive enough to keep people in know wanting more.

Andrew's bug sounds interesting... I've been googling =| So that might get you press, but keep at it... you're still getting them in the open and fixed.

And that's, important... yeah?

wtf

Anonymous

April 9 2007, 19:07:01 UTC 9 years ago

why don't they post a useful hack to view private profiles!? I'm sorry but most of this stuff is useless..... Why do I need to know about this XSS mumbo jumbo??? Or authentication bypass thingy LOL! Please give us something usefull so we can view private profiles!!!!
Not only does this not work for private profiles, it does not work for unauthenticated users. Try signing out of your Myspace before testing this "bug".

I tested this in IE, Firefox and with raw posts. The only way it would give me the valid XML is if I was all ready signed into Myspace. I guess it's not out of the realm of possibility that I somehow did this incorrectly, but I'm beginning to doubt it.

Nonetheless, you asked why people don't appreciate the good bugs and I'll have to agree with a previous poster on this: you haven't supplied any good bugs. And this one isn't even a bug, just possibly a semi-useful addition to some lazy stalker's bag of tricks.
Hi!
My name is Tomas!



THE MYSPACE VIEW HIDDEN PICS IS WORKING TODAY. AT FIRST IT SAYS IT ISNT BUT WHEN I CLICK REFRESH A COUPLE OF TIMES UP POPPED THE LIST OF ALL OF THE HIDDEN PICS LINKS! LOVE IT
YEAH NEED TO SPECIFY. IT IS NOT WORKING ON PRIVATE PROFILES. JUST PUBLIC PROFILES THAT HAVE THE PICS SET TO PRIVATE.

NO ITS NOT

Anonymous

9 years ago

it works

Anonymous

December 8 2007, 06:42:25 UTC 9 years ago

it just worked for me
http://www.playboyproxy.com

works like a charm
you guys are good at finding all these bugs


Ringer Nation

Nice quote

Anonymous

May 7 2008, 14:11:21 UTC 8 years ago


Honesty pays, but it doesn't seem to pay enough to suit some people.
-- F.M. Hubbard


----------------------------------------------------------------------------------------------------
http://blurty.com/users/lloydgatesvs
Exchange Paypal to Liberty Reserve , Moneybookers to Liberty Reserve

PayExchange.net

SERVICE FEES:
PayPal to Liberty Reserve: 3% - 7%
StormPay to E-Gold: 5% - 10%
Moneybookers to E-Gold: 3%-7%

http://PayExchange.net
We are an Exchange Service Provider (Market Maker) around the growing market of electronic currencies.

Our services are Simple, Fast & Efficient.
Our aim is to give people easy access to the gold economy and allow our customers to benefit from the new ecommerce revolution that is the future of money.

Thank you,
http://www.sellerandbuyerforum.com
Instant Full-Length Downloads. From as low as $1.99!

You will never be asked to download or install any additional software. Just use programs you always use, like your favorite browser or download manager. No rentals, you own what you download. The compelte movie is only from $1.99 to $4.99.
DVD quality movies

Along with widely used «DivX» version, we also offer higher quality downloads: 6 channel surround sound and DVD video resolution.
Watch movies on your PDA

Yes, each movie on our website is available in special «PDA edition».
Burn, baby, burn!
You can burn any movie you download to a CD or DVD. Watch movies on home video player with your family or friends.
Liberty Exchange Service:
Exchange Moneybookers to Liberty Reserve
Exchange PayPal to Liberty Reserve
and other E-currencies Exchange

http://liberty-exchange.net
Liberty Exchange Service
liberty-exchange.net
Moneybookers to Liberty Reserve, Paypal to Liberty Reserve Exchange

e-gold-exchange.net


http://e-gold-exchange.net
Moneybookers to Liberty Reserve, Paypal to Liberty Reserve Exchange

e-gold-exchange.net


http://e-gold-exchange.net

Hello

Anonymous

August 17 2008, 20:51:45 UTC 8 years ago

I'm new here, just wanted to say hello and introduce myself.
I began this thread to discuss public usable web proxies:

Which are really anonymous?

Which can be used with facebook, myspace etc, in other words: are fresh ?

Which can you recommend?

Thanks for your help,
Dschibut

P.S.: In my land, the freedom of speech is somehow limited, please give me a hint, if you have doubts about your recommendation.