Advisory MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure
Third party skinning service Pimp-My-Profile.com
offers thousands of pre-designed Myspace profile styles (as well as misleading phishing links represented as eBay, for some reason). Most of these profile overlays can be "tweaked" to "hide" portions of Myspace profiles -- in particular, a "Hide Friends" button. The usual use of hiding friends is, in fact, a mistaken belief that a hidden friends pane removes the ability for attackers to learn who that user's friends are. For example, some users utilize the Pimp-My-Profile.com functionality to conceal "Cyber" romantic relationships from "Real Life" relationship partners, to hide "unprofessional" associatiations from potential employers, and other motives (this has been shown via first-hand anecdotal experience).
However, by viewing the user's personal information via the "viewfriends" application on friends.myspace.com
, it is in fact trivial to learn such hidden relationships. An example is shown below.
howto: change 'profile' to 'friends' on the URL where indicated
Profile without friends
viewfriends profile (one friend)
It's worth stressing three features of this bug: 1) This is a third-party service presumably unrelated to MySpace. 2) Regardless, this bug affects the usability of the Myspace service -- if users were better informed of this information disclosure attack, they would not likely rely on the "Hide Friends" functionality to conceal relationships, and 3) This was in fact the bug that prompted the MOMBY Institute to pursue this ridiculous Month of Bugs.
Credit: This bug was first reported by Voodoo Woman, a confessed Myspace loser who enjoys stalking even the most casual of acquaintances on the Internet and compiling detailed dossiers of their lives and associations.begin boring-rant.txt 644
When learning of this bug, we realized that there would be at least several thousand typical Myspace users who may be concerned about this sort information disclosure attack -- many more than would be concerned about a null pointer dereference
, a local-only privilege escalation in Mac OSX
, or a double-free in PHP4
. While these other bugs, and even some XSS bugs detailed here at MOMBY, are more closely associated with information security, there is about zero common interest in these issues outside of a small, highly-trained circle of professional attackers and defenders. On the other hand, Myspace is simultaneously a common reference implementation of poor web application design, and one of the most popular and useful destinations in the history of the Internet. This is paradoxical to technical professionals, and the security set seems to be suffering a serious bout of cognitive dissonance on this point. Kids (12 to 24 year olds) are learning their Internet habits on Myspace -- that means cleartext authentication, random errors and re-logins, mysterious loss of data nad privileges, and easy XSS-enabled session hijacking are pretty much the sum total of their day-to-day experience.
We, as a defense industry and as a force for good, should be doing so much more to help them understand, even a little bit, what Good Security looks like. That's what MOMBY is all about.
Also, we really, really
hate the other Months of Bugs, run by self-obsessed security douches all. And that
is really what MOMBY is all about.
Also, we are ourselves self-obsessed security douches. And THAT
is what MOMBY is all about.