Myspace private profiles still open to SIMPLE URL vulnerability
On August 18 2006 a post was made at our website explaining how easy it was to access comments and photos on Myspace profiles set to "private". This vulnerability had apparently been known by the "Myspace underground" for some time, but had not been addressed by the Myspace security people. On August 26, this vulnerability was made public on Digg.com and suddenly the whole world new about it. Once in the spotlight, Myspace band-aided this hole in less than 24 hours (See This Post)
IT'S STILL BROKE AND YOU MIGHT WANT TO GET IT FIXED
From the moment this backdoor was closed, there were posts on Digg.com and our main website hinting that there were still vulnerabilities on Myspace that would allow anyone to view photos on profiles set to 'private'. I was ready to blab these new vulnerabilities to the world, but I had not actually seen one in action yet.
Well.. Today yet another member of GrownUpGeek.com posted how to use a modified URL that will allow ANYBODY to view pictures on profiles set to private. I've seen it in action and can vouch that it's real. This second vulnerability is very similar to the one published on August 18, but this one only works for private photos (sorry, doesn't work for private comments).
So let this be an open letter to the Myspace security gurus:
I'm not going to publish the vulnerability here... YET (gotta give those Myspace guys a chance to fix it.. right?) But it's out there, and it's in use - and if history serves as a guide, this vulnerability may not be fixed until it hits Digg.com or CNN (but I bet you won't hear about it on FOX news..)
Mr. Murdoch, if you need help finding the vulnerability, just post a comment here or send me an email. :-)
1) Unless you're Rupert Murdoch (or one of his minions) I'm not going to email you the code! Based on postings i've seen by members at the forums area of our website, it IS out there at other sites.
2) in response to this comment:
Why does your webpage have a link saying "New private profile hole published" linking only to this blog post? You have NOT published it...yet. Quite misleading.
The code WAS published on our main website by a member - We then UNpublished the code to give Myspace a chance to fix it (we are trying to be responsible netizens). Based on what I've read in our forums the code IS published at other websites.. The reason for the link to the blog was so everyone could read that the exploit is out there. Upon reflection, we will update the text in the link to avoid further confusion.
Well, it looks like Myspace has closed this particular security hole sometime in the last day or two. This latest hole, which worked using a variation of "http://mail.myspace.com....." would allow photos on private profiles to be viewed in Firefox after repeatedly refreshing the page.
So that's it boys and girls, it looks like the fun is over! ..until the next vulnerability....
Labels: Myspace, The Site