Advisory MOMBY-00000111: Myspace Cleartext Authentication
Press Embargo until April 7, 2007
Noobs: *** LOLs: ***** 0wnz: ****
The Myspace website authentication system requires users to expose usernames and passwords in cleartext. The login application is a standard <FORM> presented usually on http://www.myspace.com and http://login.myspace.com with a form handler at http://login.myspace.com. There is no assurance made or implied to the user that either the login form or the login information is cryptographically secure.
Example HTTP response to a Myspace login:
POST /index.cfm?fuseaction=login.process&MyToken=[token] HTTP/1.1
User-Agent: Mozilla/5.0 ([browser info])
Accept: text/xml,[browser accept options, etc.]
Cookie: MSCulture=IP=184.108.40.206&IPCulture=de-DE&PreferredCulture=de-DE&Country=DE; [other cookie information]
This exposes the user name and password to any listener on the local network or intermediate networks. As MySpace is usually in the top five of most-accessed websites in the world, a sizable fraction of logins must originate from insecure networks. Insecure networks would include public wireless hotspots and larger jurisdictions subject to pervasive state-sanctioned eavesdropping, such as the People's Republic of China and the United States of America.
Listening for login credentials on a local segment is trivial with an application such as Wireshark or ngrep. If these credentials are captured, attackers may immediately compromise the targeted account.
It's interesting to note, while the www.mypsace.com host does not offer an HTTPS listener on port 443 for more security-conscious users, login.myspace.com:443 is listening and has a valid SSL certificate. However, this interface appears to offer only a 302 redirect to https://www.myspace.com -- which doesn't exist. Why this is implemented this way is a mystery.
Credit: Just about anyone with a passing interest in security has noticed this -- this bug is a large component of MySpace's reputation of insecurity.