Hacking MySpace AfterMath: Code, Explanations and Prevention
By Angsuman Chakraborty, Gaea News NetworkTuesday, October 18, 2005
Update: You may also want to look at: MySpace Hack: How To View Any Users Private Videos.
Recently Samy [samy at namb dot la] released a worm ["Samy worm" or "JS.Spacehero worm"] in MySpace, popular social networking platform like Friendster, which caused him to be added as hero to millions of MySpace users (”but most of all, samy is my hero.”) as well as add him as their friend, all without their explicit permission.
After flooding the Network, MySpace stepped in and fixed the hole. Samy is still “hero” to millions of MySpace users in their profile.
The purpose of this article is to highlight the security issues exposed by this worm. It is definitely not limited to MySpace alone and the worm propagated not due to MySpace’s fault but fault of browser like Internet Explorer. And the flaw is waiting to be exploited in several other web applications of similar nature like Ryze or LinkedIn etc.. In the remainder of this article I will summarize the modus-operandi of his script and suggest on ways to protect your web application against such attacks.
Samy used AJAX to add himself as a friend and hero when users visited his page. This requires Javascript to be executed in the browser which does the dirty work.
MySpace dutifully eliminates javascript from users html (which becomes their profile). However Sammy disguised the word javascript with an embedded newline - “java\nscript”.
MySpace doesn’t allow script tags. So he embedded his javascript in CSS - style=”background:url(’javascript:eval(document.all.mycode.expr)’)”
AJAX can fetch documents from the same domain (or sub-domain) only. So if the user was on profile.myspace.com, he moved them to www.myspace.com which provides the same information but allows him to be added as a friend.
if (location.hostname == 'profile.myspace.com') document.location = 'https://www.myspace.com' + location.pathname + location.search;
After overcoming a trvial hash issue he adds his code and “but most of all, samy is my hero.” text to users profile. This causes the worm to propagate not only when users visit his site but also when they visit any of the infected users. Yes, simple exponential spreading.
Samy provides detailed notes and code for his exploit after the exploit was filtered / stopped by MySpace.
How can you protect your web application from such attacks?
First and foremost I assume you have filtering in place like MySpace did filtering scripts and javascript tags etc. However obviously that is not enough; not even close.
Your filtering tags should be intelligent to recognize words separated by newlines as shown above.
Other users profile (or any html content) should be viewable only from a separate sub-domain.
Any actions like adding a link, friend, connection etc. must be done from pages which can never contains any other users code. If you provide a link while viewing others profile to add his as a friend then on clicking you take him to a separate page where the users gets to edit information about his friend and add him after confirmation. This page should not contain any html content from the user being added.
In essence we need to captalize on AJAX security model which prevents code execution from different site.
Tags: Dirty work, Friendster, The dirty, Web application
 rida hassan |
|
March 16, 2010: 7:39 am
This post contains detailed information of a hacking that was done in the past using Javascript, after the breach was sealed. The thrust of the post was how can you protect your web application from such attacks. |
|
March 16, 2010: 7:35 am
He claims that is not him, but He knows the person. I still think he is lying. The whole situation is very sad and harmful to everyone around. His wife is now taking him back and believes that person was not him, but I know it was. But have no proof. Is there anyone on here that can hack into the account some how and be able to find out what email it came from or see if this person has sent any messages or can hack into any of his accounts else where? |
 Nate |
March 1, 2010: 2:05 am
I have to read this message in my friends inbox on myspace, its killing me, its from or to my girlfriend and i have to know what it says, please. |
 toria |
December 18, 2009: 5:30 pm
help someone hacked my myspace page and wrote sruff about me and when i type in my email and password it does not let me log in what do i do? |
|
July 21, 2009: 2:14 pm
I want to know my girlfriends password cause I want to see wat she is hiding from me |
 Mimi |
January 31, 2009: 10:02 pm
Hello, I WILL PAY ANYONE WHO CAN HELP ME! This person is bothering me on myspace. I added a code that HID my comments on my myspace, but this hacker comes in and deletes a lot of the comments (other people’s comments) on my page EVERY DAY! I CHANGE my password and email everyday but to no avail. So far, about 300 of the comments on my myspace have been deleted by this hacker! He even deleted a few of my FRIENDS!!!! Even my PICTURES got deleted! I waited until he stopped but he deleted 20 of the comments on my myspace TODAY. I think he’s going to my home page and deleting the comments there because he obviously can’t otherwise because I added a code that hid my comments. My profile is set private. It’s been about a YEAR since he’s been bothering me!!!!!!!!!!!!!!! I could shut down my myspace but i don’t want to! I want to know who’s bothering me like this! He thinks that he’s some computer genius who can get away with anything…. So I’m using my last card on you guys. I did everything that I could in regards to hiding stuff and changing passwords/email…EVEN THE MYSPACE CUSTOMER SERVICE people will NOT HELP ME!!!!!!! U can tell that this is serious considering that i will pay you guys if u can help me catch this hacker and prevent this from happening!!!! I want: 1) Someone to catch this hacker Please help me as if you were my real older brother! I am paranoid because hes been bothering me for a long time and as a last resort, i am writing to you. CAN YOU PLEASE HELP ME, PLEASE????????? I will be waiting so please respond if u can help me! THIS IS NOT A GAME!!!!! THIS IS SERIOUS!!!!! Thank you~ |
 Katie |
November 23, 2008: 5:04 pm
This guy that I am living with hides everything from me and we have kids. I wanna see his myspace messages. I need to now!! Please help! |
|
November 23, 2008: 7:34 am
I think that my girlfriend is cheating on me with someone on myspace and that they are talking through messages. I dont know her password but i know her e-mail that she logs into on. |
|
November 16, 2008: 4:43 pm
can anyone plz send me tha password for my best friends myspace his e-mail is short_playa13@yahoo.com plz send tha password to andrea_ana_martinez@yahoo.com thank u i really need to know wats goin on wit him he’s been weird and mean lately |
 big m |
September 29, 2008: 9:31 am
someone change my myspace passcode n my yahoo e mail code..sooo therefor i cant get into my myspace or my yahoo mail…soo can some one email me n tell me how to get into my account another way….sooo that i can get back into my myspace..(loverboyricherich@yahoo.com) |
 ALL |
September 3, 2008: 5:33 am
i have a feelin that my gf is playin me and has been with one of the guys on her myspace page im not 100% sure but i really think she is, she acts wierd when i say somthin bout her myspace, can some one email me at alansdale22@yahoo.com and tell me how to get into her file to look thru it? Please im beggin anyone who would know how to help me |
 DM |
 bill |
May 31, 2008: 9:39 pm
I think that my girlfriend is cheating on me with someone on myspace and that they are talking through messages. I dont know her password but i know her e-mail that she logs into on. |
 Wilkinson |
May 21, 2008: 11:48 am
realy!!! 1 man help me to get access to another acc of myspace, i promised that i never post about this. But i see that it is very biiiiiig problem to hack myspace. |
 A. Geral |
 Tre |
April 30, 2008: 4:37 pm
i was wondering if u can help me hack this page on myspace https://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=11462560 thanks |
 stupid |
April 21, 2008: 2:25 pm
does anyone know how to hack myspace truth boxes, so the names will somehow be displayed? |
 taftmom |
April 14, 2008: 7:40 pm
Wow, you must be talented..Not sure if I should even bug you. I want to learn chat room tricks…codes to stop freezing, and whispers.. spam and stuff like that. Can you tell me a place to read up on info. Thanks for your time. |
 Ashleyyy |
April 6, 2008: 2:31 am
Heyyy, okay. So I don’t know why but I really wanna hack some of my friends MySpaces. I’m not gunna like, do anything to their profiles or anything like that. Trust me. I just wanna see what they’re up to. You know? But I can’t find a way that actually works ANYWHERE. So if anyone knows A legit way to hack a MySpace, lemme’ know. If you’re gunna give me spam or any crap about this then just don’t reply. Kay thanksss:]] |
 luscious |
April 1, 2008: 8:50 am
hi can u help me with this? i cannot open my friendster ( dar_cindz2@yahoo.com ) i think i have been hacked by someone. everytime i try to log-in it says that the email address that u have entered is invalid.. what will i do? can u help me pls? =( |
 andry |
January 17, 2008: 3:50 am
hello… |
 Kitkat |
December 27, 2007: 7:18 am
Ok, seriously, does anyone get help on here? Cheers! Kat |
Jenny chavez