by special guest advisory author, teh_commodore
n00bz: ******* LOLz: ******* 0wnz: .0375
Just like all other bugs posted so far, this one relies on the user almost voluntarily revealing their authentication credentials. Troll livejournal accounts, and look for someone's authentication credentials. This may be in the form of a screenshot of some supposed hack or bug.
From here, type in the user's credentials at myspace and there you have it. Sub-bug, Myspace doesn't send out an e-mail to the user when they go to change their password. You can do it all right there without any further intrusion necessary.
This is the account set up by the MOMBY boys for their previous advisory. Don't believe me? Look here.
Screenshot Numero 00000010: http://pics.livejournal.com/teh_commodore/pic/00003z77
Unfortunately, once the user recovers his or her password, which will be the one you changed it to, they can regain control of their account. No worries though, if you can get to their e-mail account via the previous bug, you can change the e-mail account to which the myspace account is tied. This moves the 0wnz up to **.
To further specify the flaw, the real account hack comes with changing the e-mail address tied to the account you now have temporary control over. This changes temporary control to permanent, at least until the user gets the Myspace secret police involved (more on this later). To change the e-mail address, Myspace requires you to enter a randomly (?) generated code that was e-mailed to your current e-mail account.
If this is e-mail also intercepted, the attacker can now change the e-mail address of the account to their e-mail address. This means full account access and relatively-permanent control.
Now to the Myspace response to stolen accounts. In order to return control of someones account back to them, Myspace requires a "salute" from the person whose account was stolen. A salute is a picture of that person holding a sign with the friend ID on it.
I'm not clear what happens with the salute, or how it helps anything, but I do have a guess. The only thing that makes sense is if they plan to match the face in the "salute" to the pictures posted on the target account. If that's the case, then all one would have to do is delete all pictures of the target from the account. This is all speculation.
This is, of course, unless the changes are "obviously cruel/false," in which case Myspace at least suggests that they will move faster, and without the need of a "salute".
Point is, once an attacker has complete control of someones account, via linking the account to their e-mail instead of the original users, the entire process required for the user to regain control is very long and arduous. So an attacker could have the fake account for several days/weeks before anything is done.
MOMBY Addendum: Thanks for the excellent writeup, Teh_Commodore! Hope you don't mind that we mashed up the two posts together and altered the title a bit (yours was a little long). Since you went to all this effort to prove how lame we are, we felt that we should promote this to a proper journal entry. Again, thanks for your hard work! You showed us!
Bonus Bug: In addition to teh_commodore's bug, we'd like to also disclose a form-based XSS at http://signup.myspace.com/index.cfm?fuseaction=comedianJoin.step1verify, which is the POST action for the http://signup.myspace.com/index.cfm?fuseaction=comedianJoin web application. The "password" and "passwordConfirm" variables do not apply any filtering to HTML elements, including <script> tags. This is easily demonstrated by entering ">0wned as a password. Screenshot: http://pics.livejournal.com/momby/pic/0000fpb3. Credit for this goes to MustLive. Bonus 0wnz: +2 stars.