Advisory MOMBY-00000101: Myspace Pics Authentication Bypass
Press Embargo until April 5, 2007
Noobs: **** LOLs: **** 0wnz: * 1/2
Each Myspace profile has a "Pics" section where users may upload pictures, typically of themselves and their outrageous hair-dos. Clicking on the "Pics" URL of a member profile will take the user to the URL http://viewmorepics.myspace.com/index.cf
This redirect, of course, sucks for people who don't want to give up their e-mail address in order to view some lousy snapshots of their ex-girlfriend and her new boyfriend.
So, instead, MOMBY suggests an alternate URL for the "Pics" list: http://myspace.com/services/media/photos
Note, the correct FriendID can be determined by simply hovering over the "Pics" link and noting the target displayed in the browser status bar.
Credit: AwEsOmE AnDrEw, who was thoughtful enough to package this up in an easy to use format, the Lame Myspace Picture Raper, here: http://www.awesomeandrew.net/downloads/l
Why This Lame Bug: We thought we posted a bug for today, but then remembered; that wasn't bug-posting, that was beer and whiskey shooters since 3pm! Dammit! And that would explain why every lamp in the apartment is broken, and that explains why I'm typing this in the dark while Mustachio is passed out, fairly precariously, on the balcony!
So, we kinda needed an easy one. Plus, you people don't appear to actually appreciate the good bugs. You "oo" and "ah" over them, but where's the press? "Month of MySpace bugs starts with a dud" is the last we've heard. No follow-up headline of "MOMBY Kicks Ass With Insightful XSS Explanations" to be seen? Fine, fuckers. Have it your way. We have plenty of "duds" left, if that's what you want.
And we've been drinking. Just as soon as we sober up, we're going to find that Jeremy Kirk guy and tell him what-for.