The Blog That Is No More
This Blog has moved to http://www.success.grownupgeek.com
Tuesday, August 29, 2006
  Myspace private profiles still open to SIMPLE URL vulnerability

On August 18 2006 a post was made at our website explaining how easy it was to access comments and photos on Myspace profiles set to "private". This vulnerability had apparently been known by the "Myspace underground" for some time, but had not been addressed by the Myspace security people. On August 26, this vulnerability was made public on Digg.com and suddenly the whole world new about it. Once in the spotlight, Myspace band-aided this hole in less than 24 hours (See This Post)

From the moment this backdoor was closed, there were posts on Digg.com and our main website hinting that there were still vulnerabilities on Myspace that would allow anyone to view photos on profiles set to 'private'. I was ready to blab these new vulnerabilities to the world, but I had not actually seen one in action yet.

Well.. Today yet another member of GrownUpGeek.com posted how to use a modified URL that will allow ANYBODY to view pictures on profiles set to private. I've seen it in action and can vouch that it's real. This second vulnerability is very similar to the one published on August 18, but this one only works for private photos (sorry, doesn't work for private comments).

So let this be an open letter to the Myspace security gurus:

IT'S STILL BROKE AND YOU MIGHT WANT TO GET IT FIXED


I'm not going to publish the vulnerability here... YET (gotta give those Myspace guys a chance to fix it.. right?) But it's out there, and it's in use - and if history serves as a guide, this vulnerability may not be fixed until it hits Digg.com or CNN (but I bet you won't hear about it on FOX news..)

Mr. Murdoch, if you need help finding the vulnerability, just post a comment here or send me an email. :-)

UPDATE: 8/30/06
1) Unless you're Rupert Murdoch (or one of his minions) I'm not going to email you the code! Based on postings i've seen by members at the forums area of our website, it IS out there at other sites.

2) in response to this comment:
Why does your webpage have a link saying "New private profile hole published" linking only to this blog post? You have NOT published it...yet. Quite misleading.
The code WAS published on our main website by a member - We then UNpublished the code to give Myspace a chance to fix it (we are trying to be responsible netizens). Based on what I've read in our forums the code IS published at other websites.. The reason for the link to the blog was so everyone could read that the exploit is out there. Upon reflection, we will update the text in the link to avoid further confusion.

UPDATE: 8/31/06
Well, it looks like Myspace has closed this particular security hole sometime in the last day or two. This latest hole, which worked using a variation of "http://mail.myspace.com....." would allow photos on private profiles to be viewed in Firefox after repeatedly refreshing the page.

So that's it boys and girls, it looks like the fun is over! ..until the next vulnerability....


Labels: ,

 
Comments:
Can you send me it: crkg4@yahoo.com
 
post the damn url, don't be a pussy.
 
hey there, can u send me the new code please. my man is cheating! THANKS!
rissa0606@yahoo.com
 
can u send me the new code please!!!! My man is cheatin! thanks

rissa0606@yahoo.com
 
please send it to buddyboy2006@gmail.com.

thanks.
 
can u send me the code please?
pinkbsk@hotmail.com

thanks!
 
can you please send me the code? Thanks.

LSmith25504@yahoo.com
 
Exploit here, if you would. runtime@zemitec.co.uk . Thanks.
 
send me the code
candyknot@yahoo.com
 
Is there a good possibility i can get the code...

email mashka_f1@yahoo.com

thank you :)
 
please send it to me volcanoss@gmail.com
 
hi, can you sent a copy to csretro23@yahoo.com
 
Send me the link please. My email is LA_Virus_2003@yahoo.com
 
Can I have it too? Thanks:

ciclope70@yahoo.com.mx
 
cand you send me the code please to pinkbsk@hotmail.com

Thanks!
 
Why does your webpage have a link saying "New private profile hole published" linking only to this blog post? You have NOT published it...yet. Quite misleading.
 
can i get the code Ro1460gc@yahoo.com
 
This comment has been removed by a blog administrator.
 
C'mon guys, he said right in the article that he's NOT giving you the code. Posting your email only opens you up to spam and flaming.

And if your man really IS cheating, then why don't you ask him about it? You certainly don't need this exploit to do that...
 
Hmm...this should be fun :D

let those myspacers sweat it out for a while.

but hopefully you'll update, soon !!
 
code? rycearooney@yahoo.com?
 
all the ways seem to have been patched up so if you have another way besides using their "other servers" such as: search, classifieds, signout, groups, editprofile, events, invite, mail, and favorites... and it works, let's see it.

the only one i know that is fully working with no problem at all, is the one that shows their friends.
 
could you please send me the code ?

supaflymasta@gmail.com
 
oh oh. me too. I need code very badly. icantbelieveyouidiotsarepostingyouremailaddressesinaforum@seriously.com
 
can you send the code to me?

supaflymasta@gmail.com
 
Gilly_Rebollar@hotmail.com...please send me the code asap...
 
Nevermind that email doesnt work...grebel12@aol.com is the working one thanks...
 
Can i see the code? Tailstoo2000@yahoo.com
 
can you send me the code?

pocketz85@yahoo.com
 
Hey can you please send me the code if it works still. I am doing some investigating on my fiance. Lindengirl1845@yahoo.com
 
i just realized something myspace did, which is pretty much stupid (yea, i was the one that wrote a previous comment about all the other myspace servers not working either) but myspaces link to your profile under your default image "view: pictures | comments" they actually HAVE those links collect.myspace.com/user/etc.. and editprofile.myspace.com/ etc do them. it basically it leads to a blank page, right? So what to do? everyyyyyyone of you all can act like you NEVER heard of this little "hack" (cause if they knew that YOU knew, why would they want to go on to allow it right?) and email myspace (customercare@myspace.com) and complain to them that the link to the users view more picture under the default isn't working. provide them with a link, tell them to get that url fixed. LMAO! Just maybe, if they fall for it.. they will get it fixed and it can be allowed again.. who knows! =P
 
Z0/\/\G! W3 A11 /\/33D 743 {0D3!!!111

-----------

Apparently many of these people are entirely illiterate and haven't the slightest clue as to what the word 'NOT' means.

FIGURE IT OUT FOR YOURSELVES IF YOU NEED IT SO BADLY!
 
Please send it to me if you can! coachkenf@hotmail.com
 
can i please get this send to me please hvc_villalobos@yahoo.com
 
Can you please send me code please I want to check if my fincee cheat on me. I beg u here my email u can send code for me "VampAloha_83@hotmail.com"
 
o0o please e-mail it 2 me @ colombianchikis@yahoo.com
thanx
 
can you email me the code? stormy5164@yahoo.com thanx! ;)
 
can I have it please?
bnl3@nau.edu
 
send it to me at
samantha_elyk@yahoo.com
 
can u please send me the code to view private profiles and pictures at
brownsugaaa18@hotmail.com
 
I can make a fortune collecting and selling everyones valid email addreess that you're all so eager to post up.
 
ahahahahahahahahahahahahaha
u go person above me!!!
 
wow. look at ALL them email addresses yall are a web spiders best friend..lmao
 
*copy and paste*.... *spams penis enlargement emails to all of the above*
 
Post a Comment

Subscribe to Post Comments [Atom]





<< Home

__________________________