Two Hackers Plan to Disclose MySpace Vulnerabilities

Two hackers have initiated a campaign to highlight MySpace vulnerabilities. This campaign hopes to make a greater splash than the January month of Apple bugs. The hackers admitted that the campaign started off rather slowly.

The hackers named Mondo Armando and Mustaschio stumbled on the vulnerabilities when they selected MySpace to carry out their project because the site has a large number of visitors. They said they had informed MySpace about their project. TECHWORLD published the hackers' statement on April 2, 2007.

The hackers said that during the next few weeks, they would disclose a number of bugs including cross-site scripting (XSS) flaws and others that allow unauthorized access to profiles of the site users.

At the start of the initiative the couple used a popular vulnerability that reflected the very characteristics of MySpace. Users could use cascading style sheet (CSS) language to edit their profiles as well as customize its URL. This could allow hackers to create profiles resembling the site's login page and use a seemingly authentic URL to dupe users into divulging their credentials.

On April 2, 2007 the hackers uncovered vulnerability within the "cms.goto" application featuring on "profile.myspace.com". It occurs due to the absence of input-validation and that can cause an XSS assault.

CTO of WhiteHat Security, Jeremiah Grossman told SCMagazine.com on April 2, 2007 that the project underscored the flaw of a large number of sites displaying on the World Wide Web. In any case, hackers would tend to exploit MySpace vulnerabilities, as there are 130 million members on the site. Hackers frequently target MySpace, as by hacking a single account it could help to access numerous other users' accounts that they could infect with malware or attack with spam.

In December last, the MySpace, the site drawing the fifth most traffic, carried an Apple patch after a cross-site scripting worm attacked it. The bug exploited the JavaScript functionality within QuickTime player that many site visitors use to play videos on the pages hosting their profiles. Understandably, the objective of the assault was to capture login details and entice users to visit a pornographic site containing spyware.

Related article: THE SPAM MAFIA

» SPAMfighter News - 4/10/2007