MySpace Hacked with CSRF and XSS

October 13, 2005
web

It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.

An aquaintance of mine recently managed within 24 hours to become the most popular civilian on myspace with the help of a clever bit of viral javascript imbedded into his myspace page.
By the time myspace shut down their site for a few hours to investigate he had over 1 million requests from unknowing myspace members for him to be listed as their myspace friend.

Because he was able to embed javascript into his profile, that makes it a XSS, or cross site scripting attack. And because he was able to take advantage of a other users login and perform a function on their behalf (by either submitting a form, or calling a url), it was also a CSRF, or cross site request forgery attack.

Too bad back in those days they didn't have xss countermeasures like Content Security Policy headers as we do today. It would have limited the damage.



Related Entries

11 people found this page useful, what do you think?

Comments

While this sounds like a coding issue more than anything, any idea if MySpace is now on New Atlanta's BlueDragon, or are they still on Macromedia's CF? Part of me can't help but wonder if there's going to be some political finger pointing...
These are definitely coding issues, it doesn't really matter that their site is CFML, you could have this problem on any app server.
I seem to recall saying bad things about MySpace's development techniques a while ago.... Seems things are still kind of sketchy. Not to mention taking down their whole site to investigate.
The tech is in a whitepaper http://www.bindshell.net/papers/xssv.html
This might surprise you, but you're one of the few people who can accurately categorize this attack - well done! :-)
Problem. He didnt take advantage of your login, since you were already logged in, there was no need to do so. He should of been smart about it and stole all your cookies. Then everyone would be owned.
Hello im currently looking for a website designer to build me a web site simuliar to www.myspace.com I'M aware that myspace was built in coldfusion.. please email me back & let me know if you can do this project? MY EMAIL ADD IS levern.green@gmail.com SERIOUS INQUIRIES ONLY !

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?