M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

  • Mood:

MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure

Advisory MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure
Noobz: ***********
LOLz: ******
0wnz: *

Third party skinning service Pimp-My-Profile.com offers thousands of pre-designed Myspace profile styles (as well as misleading phishing links represented as eBay, for some reason). Most of these profile overlays can be "tweaked" to "hide" portions of Myspace profiles -- in particular, a "Hide Friends" button. The usual use of hiding friends is, in fact, a mistaken belief that a hidden friends pane removes the ability for attackers to learn who that user's friends are. For example, some users utilize the Pimp-My-Profile.com functionality to conceal "Cyber" romantic relationships from "Real Life" relationship partners, to hide "unprofessional" associatiations from potential employers, and other motives (this has been shown via first-hand anecdotal experience).

However, by viewing the user's personal information via the "viewfriends" application on friends.myspace.com, it is in fact trivial to learn such hidden relationships. An example is shown below.

howto: change 'profile' to 'friends' on the URL where indicated

Profile without friends
viewfriends profile (one friend)


It's worth stressing three features of this bug: 1) This is a third-party service presumably unrelated to MySpace. 2) Regardless, this bug affects the usability of the Myspace service -- if users were better informed of this information disclosure attack, they would not likely rely on the "Hide Friends" functionality to conceal relationships, and 3) This was in fact the bug that prompted the MOMBY Institute to pursue this ridiculous Month of Bugs.

Credit: This bug was first reported by Voodoo Woman, a confessed Myspace loser who enjoys stalking even the most casual of acquaintances on the Internet and compiling detailed dossiers of their lives and associations.

begin boring-rant.txt 644

When learning of this bug, we realized that there would be at least several thousand typical Myspace users who may be concerned about this sort information disclosure attack -- many more than would be concerned about a null pointer dereference, a local-only privilege escalation in Mac OSX, or a double-free in PHP4. While these other bugs, and even some XSS bugs detailed here at MOMBY, are more closely associated with information security, there is about zero common interest in these issues outside of a small, highly-trained circle of professional attackers and defenders. On the other hand, Myspace is simultaneously a common reference implementation of poor web application design, and one of the most popular and useful destinations in the history of the Internet. This is paradoxical to technical professionals, and the security set seems to be suffering a serious bout of cognitive dissonance on this point. Kids (12 to 24 year olds) are learning their Internet habits on Myspace -- that means cleartext authentication, random errors and re-logins, mysterious loss of data nad privileges, and easy XSS-enabled session hijacking are pretty much the sum total of their day-to-day experience.

We, as a defense industry and as a force for good, should be doing so much more to help them understand, even a little bit, what Good Security looks like. That's what MOMBY is all about.

Also, we really, really hate the other Months of Bugs, run by self-obsessed security douches all. And that is really what MOMBY is all about.

Also, we are ourselves self-obsessed security douches. And THAT is what MOMBY is all about.
Tags: what momby is all about
  • Post a new comment

    Error

    default userpic
  • 27 comments
"This was in fact the bug that prompted the MOMBY Institute to pursue this ridiculous Month of Bugs." Well that explains a lot... since I don't term this a "bug"... if users mistakenly style their profile thinking that it hides their friends, then they're fools. You can't call that a bug... it's not as though MySpace have a big friendly "click here to hide your friends" button which does a poor job and doesn't work. I suggest you learn what a bug really is. Null pointer dereferences, a local-only privilege escalation in Mac OSX, or a double-free in PHP4 might be dull to the average net user, but at least they are real technical bugs. Not the fact that MySpace doesn't warn their users not be stupid. Or that it doesn't offer an HTTPS login. Or that it intentionally emails people a reset password. Some of the XSS problems have been interesting - but lets face it, we don't really need "day 1 - xss problem with page 1", "day 2 - same xss problem with page 2", which is little more than your bugs have amounted to...

Re

Anonymous

April 27 2007, 06:52:17 UTC 9 years ago

Or...You could just disable page styles. Its also the same thing with "hidden" comments, and they should really realize that just because you don't see it in front of you, doesn't mean its not there.

I really think they should add the option to hide friends, which I'm sure they will eventually. They finally made it an option to make some pics "Friends only", and others "Public".

Its sad, but they have have to really gradually move in new features, because most of MySpace users are cyber-illiterate(Is that a word?), and they freak out when their MySpace changes the slightest bit.

-JoshuaMH
"You could just disable page styles."

You're absolutely right, JoshuaMH. Clearly, typical MySpace users should be expected to a) know that this is an option, and b) edit the registry to achieve this effect for IE. (http://support.microsoft.com/kb/183717).

Much easier than editing the URL in two places.
BBcode pros and cons aside, a much more useful point to argue is, what would the format of the bbcode have to be, exactly, because it is true that different applications may use slightly different standards (still, editing one bbcode standard to another will be much easier than to edit HTML).
Editing URLs isn't significantly easier than adding a new link and then clicking thru. Yes. No. Am I speaking more clearly now, or just annoying you, or were you talking to SignpostMarv and I interrupted.
Tomorrow its my bday.. and i expect a present ok

lol

http://myspaceunofficialhelp.com

Uhm

Anonymous

April 27 2007, 18:01:33 UTC 9 years ago

Are you all getting so desperate for content that you're pointing out the obvious truths about webdesign to people? Anyone with a mouse and a right mouse button can simply choose 'view source' and it would become apparent that your friends arent 'removed' but just hidden.

Not to mention that this is a bug report about a site that issues visual hacks for the wonky html layout myspace uses.

Honestly guys, if you dont have anything good to say, dont say anything at all.

Next you're going to start reporting font size discrepencies...

Re: Uhm

Anonymous

April 27 2007, 18:54:54 UTC 9 years ago

LaWL

I second this ._.

Re: Uhm

Anonymous

April 27 2007, 23:44:42 UTC 9 years ago

haha why endorse pimp-my-profile, where theres great sites such as

http://www.xgenerators.com
and
http://www.chaesbadkids.net

=]
Haven't people known about this...
For pretty much ever?

I know all my friends have been using this for at least 3 years now.

Anonymous

April 28 2007, 20:03:38 UTC 9 years ago

I clicked on your blog thinking it would be shit but it was actually pretty good.
La October 21st, at pm Those that have been using facebook for years know that the major utility behind facebook is communication, not entertainment (though entertainment/stalking/etc might take up the vast majority of page views).

MySquares

Anonymous

April 29 2007, 06:24:57 UTC 9 years ago



So where is the 04-27 ??

i got no life.. and i check this a few times a day and still nothing

:( sad....

MySquares

Anonymous

April 29 2007, 06:26:02 UTC 9 years ago


So where is the 04-27 ??

i got no life.. and i check this a few times a day and still nothing

:( sad....

http://myspaceunofficialhelp.com/
Had to throw your URL in there didn't you?
yes i had to...

and here is one more time.. is like in forums.. you have a signature :)

http://myspaceunofficialhelp.com/

lol

Re: MySquares

Anonymous

9 years ago

Re: MySquares

Anonymous

9 years ago

I have a friend who recently was discovered to be, well, lets just say she lost her virginity at a young age and not many people knew. So now she's getting a bunch of crap at school and especially tons and tons of comments about it. So she did what most people would do, go to Pimp-Myspace or wherever you would get all of the codes from and made it so that you couldn't see her comments or add one. Well, me of course, read about this exploit, actually I read them all and what I did was copy her Myspace's main URL and posted it in notepad. Then I went to one of my friend's Myspace and clicked 'Add Comment'. Then I copied that URL and pasted it next to the other one in notepad. Pretty much self explanitory from there; all I had to do was figure out what was in the 2nd one that wasn't in the first URL. Then I was able to leave her comments! Also, in order to view someone's blocked comments, all you have to do is hit View<Source then scroll down and walah! There they are. Most people don't understand that using a little html or something to 'hide' something only hides it from the average computer user and not from someone else that may think a little bit harder. If they really wanted noone to see, then they should delete the comments.

bah

Anonymous

April 29 2007, 21:52:20 UTC 9 years ago

I haven't seen one single bug that was worth my time
this page is ridiculous - I expected xss exploits, not css crap

Pff...

Anonymous

April 30 2007, 01:59:59 UTC 9 years ago

Momby fails at life. Lame bugs. Multiple missing bug-reports. Lame excuses. Shameful bid for attention. That is all.

Anonymous

April 30 2007, 21:21:10 UTC 9 years ago

Momby is probably off sucking dick, and that's why they haven't posted a bug since Thursday, that is, IF you even count that as a bug. Momby give up, go away. You failed, and the month is over tomorrow. I'm glad.





Failure.

hmmm

Anonymous

April 30 2007, 22:46:06 UTC 9 years ago


hmmm so today is the last day ?
i wonder if they are going to continue ?
or at least post more bugs [if they have]

we will see...


MySquares
http://myspaceunofficialhelp.com
R U serious???.... So the month is over and thats all you got??....
Nothing but lame shit... as for those who think your "bugs" are great, suck my dick. They are idiots just like you... anyone with a little experience knows this lame stuff...

as many others said above...MOMBY SUCKS!!!

hi all

Anonymous

September 28 2008, 03:01:28 UTC 8 years ago

http://opipojnutyrrgthj.com - yujffddfsgjhghsdg
I am impressed! Blog low-down posted here is absolutely my friend. I just after to hint keep up with comments and nobility work. IE browser bookmarks to your blog solely now, I l light on back to see my friends more in the future! The color of the layout is not lousy, it is easy on the eyes.