M.O.M.B.Y! (momby) wrote,

  • Mood:

Advisory MOMBY-00000101: Myspace Pics Authentication Bypass

Advisory MOMBY-00000101: Myspace Pics Authentication Bypass
Press Embargo until April 5, 2007


Noobs: ****
 LOLs: ****
 0wnz: * 1/2

Each Myspace profile has a "Pics" section where users may upload pictures, typically of themselves and their outrageous hair-dos. Clicking on the "Pics" URL of a member profile will take the user to the URL http://viewmorepics.myspace.com/index.cfm?fuseaction=user.viewPicture&friendID=XXXX, where "XXXX" is the FriendID of the user. At this point, viewmorepics.myspace.com checks to see if a valid MYUSERINFO cookie is set; if not, the user is redirected (via a 302 Object Moved response) to the login page.

This redirect, of course, sucks for people who don't want to give up their e-mail address in order to view some lousy snapshots of their ex-girlfriend and her new boyfriend.

So, instead, MOMBY suggests an alternate URL for the "Pics" list: http://myspace.com/services/media/photosXML.ashx?friendid=XXXX. This displays the underlying XML of the user's "Pics" set, as shown in the screenshot below. From there, it's trivial to view all the pictures, all without logging in and getting snagged by some "Myspace Tracker," which is apparently what the kids are now calling "information disclosure XSS exploits."

Screenshot: http://pics.livejournal.com/momby/pic/00007a5r

Note, the correct FriendID can be determined by simply hovering over the "Pics" link and noting the target displayed in the browser status bar.

Credit: AwEsOmE AnDrEw, who was thoughtful enough to package this up in an easy to use format, the Lame Myspace Picture Raper, here: http://www.awesomeandrew.net/downloads/lmpraper.zip. This is a VBScript application, which means that "Internet Explorer" has to be in your personal set of "easy to use" things.

Why This Lame Bug: We thought we posted a bug for today, but then remembered; that wasn't bug-posting, that was beer and whiskey shooters since 3pm! Dammit! And that would explain why every lamp in the apartment is broken, and that explains why I'm typing this in the dark while Mustachio is passed out, fairly precariously, on the balcony!

So, we kinda needed an easy one. Plus, you people don't appear to actually appreciate the good bugs. You "oo" and "ah" over them, but where's the press? "Month of MySpace bugs starts with a dud" is the last we've heard. No follow-up headline of "MOMBY Kicks Ass With Insightful XSS Explanations" to be seen? Fine, fuckers. Have it your way. We have plenty of "duds" left, if that's what you want.

And we've been drinking. Just as soon as we sober up, we're going to find that Jeremy Kirk guy and tell him what-for.

Tags: auth-bypass, drunken rage
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.