M.O.M.B.Y! (momby) wrote,

MOMBY-00000111: Myspace Cleartext Authentication

Advisory MOMBY-00000111: Myspace Cleartext Authentication
Press Embargo until April 7, 2007

Rankings:

Noobs: ***
 LOLs: *****
 0wnz: ****

The Myspace website authentication system requires users to expose usernames and passwords in cleartext. The login application is a standard <FORM> presented usually on http://www.myspace.com and http://login.myspace.com with a form handler at http://login.myspace.com. There is no assurance made or implied to the user that either the login form or the login information is cryptographically secure.

Example HTTP response to a Myspace login:

POST /index.cfm?fuseaction=login.process&MyToken=[token] HTTP/1.1
Host: login.myspace.com
User-Agent: Mozilla/5.0 ([browser info])
Accept: text/xml,[browser accept options, etc.]
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.myspace.com/
Cookie: MSCulture=IP=88.10.10.10&IPCulture=de-DE&PreferredCulture=de-DE&Country=DE; [other cookie information]
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
Login=&email=YourUser%40domain.de&password=YourPassword&ctl00%24Main%24SplashDisplay%24ctl01%24loginbutton.x=0&ctl00%24Main%24SplashDisplay%24ctl01%24loginbutton.y=0

This exposes the user name and password to any listener on the local network or intermediate networks. As MySpace is usually in the top five of most-accessed websites in the world, a sizable fraction of logins must originate from insecure networks. Insecure networks would include public wireless hotspots and larger jurisdictions subject to pervasive state-sanctioned eavesdropping, such as the People's Republic of China and the United States of America.

Listening for login credentials on a local segment is trivial with an application such as Wireshark or ngrep. If these credentials are captured, attackers may immediately compromise the targeted account.

Screenshot: http://pics.livejournal.com/momby/pic/00009att

It's interesting to note, while the www.mypsace.com host does not offer an HTTPS listener on port 443 for more security-conscious users, login.myspace.com:443 is listening and has a valid SSL certificate. However, this interface appears to offer only a 302 redirect to https://www.myspace.com -- which doesn't exist. Why this is implemented this way is a mystery.

Credit: Just about anyone with a passing interest in security has noticed this -- this bug is a large component of MySpace's reputation of insecurity.

Tags: cleartext password
  • Post a new comment

    Error

    default userpic
  • 35 comments