M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

  • Mood:

Special Guest Advisory: CAU-2006-0001

Instead of busting our hump and posting yet another XSS for the day, we here at MOMBY are proud to introduce a special guest advisory, brought to you by the fine non-criminals at Computer Academic Underground. It's more or less new -- as far as we know, CAU hasn't done a lot to publicize this (very well-written) attack.

Enjoy. We're spending the rest of the night eating Cheetos and watching Lost.



Tags: cau, css poisoning
  • Post a new comment

    Error

    default userpic
  • 23 comments

...

Anonymous

April 12 2007, 00:34:48 UTC 9 years ago

Okay this is not an exploit or bug. This says that it has to be in the About Me section. Any user can go on google and search for myspace generators, and get a code like this. The only thing this did was point out the fact you can make it a link to a phishing page.

"It's more or less new -- as far as we know, CAU hasn't done a lot to publicize this (very well-written) attack."

Hell I used one of these, myspace code websites call it a Custom Navigation Generator. This would only be useful if you could put it in a comment. Seriously this sucks.

Re: ...

Anonymous

April 12 2007, 01:27:20 UTC 9 years ago

If you're dissatisfied with any given day's post, you're welcome to counter with a bug report of your own. Otherwise, please feel free to STFU.

Re: ...

Anonymous

April 12 2007, 02:49:24 UTC 9 years ago

I don't need to post anything. This isn't a bug report. Where's the bug? It's not a bug, it's something that can be done. It's not like myspace says you can't change your navigation table.

Do you even have a myspace? If you did you would know that this is not a bug.

Re: ...

Anonymous

April 12 2007, 07:44:22 UTC 9 years ago

It's not just about publishing hyper-dangerous system bugs anyway...

"It's not a bug, it's something that can be done."

=> Kikoo lol ! Of course, this can be done, but it shouldn't! Myspace just says "You little boys please don't hide myspace ads and nav menu, pleeeeeeaaaase!" but they should do something to avoid these changes, evenmore if this can lead to an attack...

Woods

Re

Anonymous

April 12 2007, 00:36:26 UTC 9 years ago

I don't think this has worked in quite awhile.

Re: Re

Anonymous

April 12 2007, 01:18:47 UTC 9 years ago

Unless you can integrate the code with XSS it isn't very effective.
Maybe you will only be able to phish a few hundred accounts, but the old XSS exploits allowed you to sleal hundreds of thousands of accounts in a matter of days since it propogated exponentially.

However, a more effective and simpler exploit would be to use the CSS to put a huge invisible image on your profile that hyperlinks to another website.



Re: Re

Anonymous

April 12 2007, 01:49:06 UTC 9 years ago

It should be noted that this attack vector was used along with Quicktime flaws back in 2006. Shortly after the original CAU release.

http://www.eweek.com/article2/0,1895,2067683,00.asp

Re: Re

Anonymous

April 12 2007, 02:40:16 UTC 9 years ago

You're absolutely right. That is a much more effective method. It takes a lot less code, too. Good thought. Here's the code you'd need for the transparent image phishing trick.

(http://yourdomain.com)
I find this a fine example of why certain CSS properties should be avoided like the plague. position absolute is a great example: with that and a few more styles, you can essentially simulate any element on the page. And if not, you can get a few laughs: try style="position:absolute; top:0; left:0; width:100%; height:5000px; background:#000; color:red;" (Willy on Wheels at Wikipedia used to do these sorts of overlays.)

Anonymous

April 12 2007, 02:50:32 UTC 9 years ago

MOMBY IS A FAIL!
Or you can use any number of the div overlay templates, make a profile of a sexy looking girl (photo bucket -> recent images, for pics) then have the 'view more pics' link go to a spoofed login page. Then, after they login, simply redirect them to the profile pictures, so they don't suspect anything.

Everyone likes sexy girls, so for the average Myspace user, this works perfectly.
Yes, this is certainly a security hole in the very concept of MySpace (one of quite a few). But it is not exactly new and I think it is well known to MySpace developers. See Terms and Conditions:


The following is a partial list of the kind of activity that is illegal or prohibited on the MySpace Website and through your use of the MySpace Services.

[...]

3. covering or obscuring the banner advertisements on your personal profile page, or any MySpace.com page via HTML/CSS or any other means;


So they know about the possibility but are more concerned about their advertisements than about navigation suddenly showing to phishing pages. Which is pretty typical I would say.

Anonymous

April 12 2007, 16:24:21 UTC 9 years ago

It's not against the tos to use css or html in your profile, bulletins, etc. If you go to "Tom's" myspace page, it even says stuff about using css and to check out this guy who is rly good with css.
Did I say that it were against ToS? They want you to use CSS and that's exactly the problem. I cited the ToS and it clearly says - only covering up the advertisements is forbidden. Replacing navigation on the other hand is not. Which clearly shows the priorities.

Anonymous

December 8 2009, 03:13:40 UTC 7 years ago

geg

...

Anonymous

April 12 2007, 21:25:13 UTC 9 years ago

I thought the purpose of this site was to show myspace bugs they didnt know about so they could be fixed

ive used this for over a year now

hell they even have a rotten egg tutorial about this and how to phish tutorial
gpXTvG fdv084y0v4t3cnfv593bv29vb
tEfLzK fdf043hj93jkfjw845qgtj6fqp
1fXPlc fv9db5dgbn3207vybfv5
this post is fantastic manchester cheapest hotel rates 938444
Thanks funny site chicago cheap hotel airiport with shuttle athens greece kfo
this is be cool 8) rate at a hotel cheap rates on luxury hotels in austin rtl

aulXzZpDOWpj

Anonymous

July 2 2008, 17:22:08 UTC 8 years ago

magic story very thanks negril cheap downtown hotels seattle fnmwlt