Patch/Configuration Management, Vulnerability Management

Month of MySpace bugs kicks off

Two hackers on Sunday began their planned month of MySpace bugs project that is expected to reveal 30 vulnerabilities this month that affect the popular social networking site.

The pair, known only as Mondo Armando and Mustachio, said on their LiveJournal site Saturday that they plan to notify MySpace of each bug prior to publication, but they were not hopeful security officials would respond.

"We are not working with MySpace, although we would be happy to," the hackers said, adding they are using the month to highlight the dangers of sites similar to MySpace that have "users of various levels of sophistication."

Over the next few weeks, the hackers said they plan to reveal a variety of bugs, including flaws for cross-site scripting (XSS) attacks or ones that permit unauthorized access to user profiles.

The pair kicked off the initiative with a well-known vulnerability that speaks to very nature of MySpace. Users can edit their profiles using cascading style sheet (CSS) language and customize their profile URLs. That means hackers conceivably can create the profiles to resemble the MySpace login page and use a legitimate-sounding URL to trick users into giving up their credentials.

"It’s a pretty light one, seeing how today is Sunday, and we don’t really expect the crazy MySpace Security Squad to actually do a lot of code changes on Sunday," the hackers said sarcastically.

Today the pair disclosed a vulnerability on the "cms.goto" application of "profile.myspace.com." that is caused by a lack of input validation and can lead to an XSS attack.

A MySpace spokesperson could not immediately be reached for comment.

Jeremiah Grossman, CTO of WhiteHat Security, told SCMagazine.com today that the project underscores the vulnerability of most sites on the web. However, hackers are more likely to target MySpace flaws because the site has more than 130 million members.

"It's just a popular target," he said. "Nothing's necessarily more susceptible about it."

The undertaking is interesting because it focuses on a particular site, not a product or a system component as similar month-long projects have done, Grossman said.

"The popular websites out there are going to have to deal with disclosure just like the Microsoft and Oracles of the world," he said.

MySpace is no stranger to malicious users. In December, the site – the fifth most trafficked web destination, according to Alexa – hosted a patch for Apple after MySpace was hit by a cross-site scripting worm, which took advantage of JavaScript functionality in the QuickTime player used by many users to run videos on their profile pages. The goal of the attack was to steal login credentials and lure users to a pornographic site hosting spyware.

And over the summer, the site suffered from flawed banner ads that hosted the Windows metafile vulnerability, permitting drive-by downloads.

Click here to email reporter Dan Kaplan.

Looking for a new job? SCMagazine.com has the latest IT security. Click here for our jobs page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.