The Blog That Is No More
This Blog has moved to http://www.success.grownupgeek.comTuesday, August 29, 2006
Myspace private profiles still open to SIMPLE URL vulnerability
IT'S STILL BROKE AND YOU MIGHT WANT TO GET IT FIXED
I'm not going to publish the vulnerability here... YET (gotta give those Myspace guys a chance to fix it.. right?) But it's out there, and it's in use - and if history serves as a guide, this vulnerability may not be fixed until it hits Digg.com or CNN (but I bet you won't hear about it on FOX news..)
Mr. Murdoch, if you need help finding the vulnerability, just post a comment here or send me an email. :-)
UPDATE: 8/30/06
1) Unless you're Rupert Murdoch (or one of his minions) I'm not going to email you the code! Based on postings i've seen by members at the forums area of our website, it IS out there at other sites.
2) in response to this comment:
Why does your webpage have a link saying "New private profile hole published" linking only to this blog post? You have NOT published it...yet. Quite misleading.
The code WAS published on our main website by a member - We then UNpublished the code to give Myspace a chance to fix it (we are trying to be responsible netizens). Based on what I've read in our forums the code IS published at other websites.. The reason for the link to the blog was so everyone could read that the exploit is out there. Upon reflection, we will update the text in the link to avoid further confusion.
UPDATE: 8/31/06
Well, it looks like Myspace has closed this particular security hole sometime in the last day or two. This latest hole, which worked using a variation of "http://mail.myspace.com....." would allow photos on private profiles to be viewed in Firefox after repeatedly refreshing the page.
So that's it boys and girls, it looks like the fun is over! ..until the next vulnerability....
¶ 8:35 PM
On August 18 2006 a post was made at our website explaining how easy it was to access comments and photos on Myspace profiles set to "private". This vulnerability had apparently been known by the "Myspace underground" for some time, but had not been addressed by the Myspace security people. On August 26, this vulnerability was made public on Digg.com and suddenly the whole world new about it. Once in the spotlight, Myspace band-aided this hole in less than 24 hours (See This Post)
From the moment this backdoor was closed, there were posts on Digg.com and our main website hinting that there were still vulnerabilities on Myspace that would allow anyone to view photos on profiles set to 'private'. I was ready to blab these new vulnerabilities to the world, but I had not actually seen one in action yet.
Well.. Today yet another member of GrownUpGeek.com posted how to use a modified URL that will allow ANYBODY to view pictures on profiles set to private. I've seen it in action and can vouch that it's real. This second vulnerability is very similar to the one published on August 18, but this one only works for private photos (sorry, doesn't work for private comments).
So let this be an open letter to the Myspace security gurus:
I'm not going to publish the vulnerability here... YET (gotta give those Myspace guys a chance to fix it.. right?) But it's out there, and it's in use - and if history serves as a guide, this vulnerability may not be fixed until it hits Digg.com or CNN (but I bet you won't hear about it on FOX news..)
Mr. Murdoch, if you need help finding the vulnerability, just post a comment here or send me an email. :-)
UPDATE: 8/30/06
1) Unless you're Rupert Murdoch (or one of his minions) I'm not going to email you the code! Based on postings i've seen by members at the forums area of our website, it IS out there at other sites.
2) in response to this comment:
Why does your webpage have a link saying "New private profile hole published" linking only to this blog post? You have NOT published it...yet. Quite misleading.
The code WAS published on our main website by a member - We then UNpublished the code to give Myspace a chance to fix it (we are trying to be responsible netizens). Based on what I've read in our forums the code IS published at other websites.. The reason for the link to the blog was so everyone could read that the exploit is out there. Upon reflection, we will update the text in the link to avoid further confusion.
UPDATE: 8/31/06
Well, it looks like Myspace has closed this particular security hole sometime in the last day or two. This latest hole, which worked using a variation of "http://mail.myspace.com....." would allow photos on private profiles to be viewed in Firefox after repeatedly refreshing the page.
So that's it boys and girls, it looks like the fun is over! ..until the next vulnerability....
¶ 8:35 PM
Comments:
<< Home
hey there, can u send me the new code please. my man is cheating! THANKS!
rissa0606@yahoo.com
rissa0606@yahoo.com
# posted by 
: 7:03 AM
: 7:03 AM
can u send me the new code please!!!! My man is cheatin! thanks
rissa0606@yahoo.com
rissa0606@yahoo.com
# posted by : 7:05 AM
: 7:05 AM
Is there a good possibility i can get the code...
email mashka_f1@yahoo.com
thank you :)
email mashka_f1@yahoo.com
thank you :)
# posted by : 1:43 PM
: 1:43 PM
Why does your webpage have a link saying "New private profile hole published" linking only to this blog post? You have NOT published it...yet. Quite misleading.
# posted by : 7:04 PM
: 7:04 PM
C'mon guys, he said right in the article that he's NOT giving you the code. Posting your email only opens you up to spam and flaming.
And if your man really IS cheating, then why don't you ask him about it? You certainly don't need this exploit to do that...
And if your man really IS cheating, then why don't you ask him about it? You certainly don't need this exploit to do that...
# posted by : 11:44 PM
: 11:44 PM
Hmm...this should be fun :D
let those myspacers sweat it out for a while.
but hopefully you'll update, soon !!
let those myspacers sweat it out for a while.
but hopefully you'll update, soon !!
# posted by : 12:51 AM
: 12:51 AM
all the ways seem to have been patched up so if you have another way besides using their "other servers" such as: search, classifieds, signout, groups, editprofile, events, invite, mail, and favorites... and it works, let's see it.
the only one i know that is fully working with no problem at all, is the one that shows their friends.
the only one i know that is fully working with no problem at all, is the one that shows their friends.
# posted by : 3:40 AM
: 3:40 AM
oh oh. me too. I need code very badly. icantbelieveyouidiotsarepostingyouremailaddressesinaforum@seriously.com
# posted by : 3:04 PM
: 3:04 PM
Nevermind that email doesnt work...grebel12@aol.com is the working one thanks...
# posted by : 5:59 PM
: 5:59 PM
Hey can you please send me the code if it works still. I am doing some investigating on my fiance. Lindengirl1845@yahoo.com
# posted by : 11:22 PM
: 11:22 PM
i just realized something myspace did, which is pretty much stupid (yea, i was the one that wrote a previous comment about all the other myspace servers not working either) but myspaces link to your profile under your default image "view: pictures | comments" they actually HAVE those links collect.myspace.com/user/etc.. and editprofile.myspace.com/ etc do them. it basically it leads to a blank page, right? So what to do? everyyyyyyone of you all can act like you NEVER heard of this little "hack" (cause if they knew that YOU knew, why would they want to go on to allow it right?) and email myspace (customercare@myspace.com) and complain to them that the link to the users view more picture under the default isn't working. provide them with a link, tell them to get that url fixed. LMAO! Just maybe, if they fall for it.. they will get it fixed and it can be allowed again.. who knows! =P
# posted by : 12:12 AM
: 12:12 AM
Z0/\/\G! W3 A11 /\/33D 743 {0D3!!!111
-----------
Apparently many of these people are entirely illiterate and haven't the slightest clue as to what the word 'NOT' means.
FIGURE IT OUT FOR YOURSELVES IF YOU NEED IT SO BADLY!
-----------
Apparently many of these people are entirely illiterate and haven't the slightest clue as to what the word 'NOT' means.
FIGURE IT OUT FOR YOURSELVES IF YOU NEED IT SO BADLY!
# posted by : 9:37 AM
: 9:37 AM
Can you please send me code please I want to check if my fincee cheat on me. I beg u here my email u can send code for me "VampAloha_83@hotmail.com"
# posted by : 2:43 PM
: 2:43 PM
can u please send me the code to view private profiles and pictures at
brownsugaaa18@hotmail.com
brownsugaaa18@hotmail.com
# posted by : 7:48 PM
: 7:48 PM
I can make a fortune collecting and selling everyones valid email addreess that you're all so eager to post up.
# posted by : 4:15 PM
: 4:15 PM
wow. look at ALL them email addresses yall are a web spiders best friend..lmao
Post a Comment
# posted by : 10:57 PM
: 10:57 PMSubscribe to Post Comments [Atom]
<< Home