pf » MySpace Hacked with CSRF and XSS

October 13, 2005

MySpace Hacked with CSRF and XSS

It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.

An aquaintance of mine recently managed within 24 hours to become the most popular civilian on myspace with the help of a clever bit of viral javascript imbedded into his myspace page.
By the time myspace shut down their site for a few hours to investigate he had over 1 million requests from unknowing myspace members for him to be listed as their myspace friend.

Because he was able to embed javascript into his profile, that makes it a XSS, or cross site scripting attack. And because he was able to take advantage of a other users login and perform a function on their behalf (by either submitting a form, or calling a url), it was also a CSRF, or cross site request forgery attack.

Permalink | Add Comment |

add to del.icio.us | Tags: xss, csrf, security

Related Entries

Announcing Web Application Firewall for ColdFusion - July 9, 2007
CFPARAM for Simple String Validation - May 29, 2007
The Dangers of Flash's crossdomain.xml - November 2, 2006
Web Application Vulnerabilities trump Buffer Overflows - November 2, 2006
How to Break Web Software - April 21, 2006

9 people found this page useful, what do you think?

Trackbacks

Trackback Address: 483/8256350ED1F0319C5936D401253E7699

Comments

On 10/13/2005 at 1:35:24 PM MDT Dan G. Switzer, II wrote:

While this sounds like a coding issue more than anything, any idea if MySpace is now on New Atlanta's BlueDragon, or are they still on Macromedia's CF?

Part of me can't help but wonder if there's going to be some political finger pointing...

On 10/13/2005 at 1:41:09 PM MDT Pete Freitag wrote:

These are definitely coding issues, it doesn't really matter that their site is CFML, you could have this problem on any app server.

On 10/13/2005 at 2:22:21 PM MDT Barney wrote:

I seem to recall saying bad things about MySpace's development techniques a while ago.... Seems things are still kind of sketchy. Not to mention taking down their whole site to investigate.

On 10/20/2005 at 2:46:39 PM MDT Roger wrote:

The tech is in a whitepaper http://www.bindshell.net/papers/xssv.html

On 05/29/2006 at 8:15:20 PM MDT Chris Shiflett wrote:

This might surprise you, but you're one of the few people who can accurately categorize this attack - well done! :-)

On 06/19/2006 at 6:51:40 PM MDT A nonymous wrote:

Problem. He didnt take advantage of your login, since you were already logged in, there was no need to do so. He should of been smart about it and stole all your cookies. Then everyone would be owned.

On 02/04/2007 at 11:38:44 PM MST levern wrote:

Hello im currently looking for a website designer to build me a web site simuliar to www.myspace.com I'M aware that myspace was built in coldfusion.. please email me back & let me know if you can do this project? MY EMAIL ADD IS levern.green@gmail.com SERIOUS INQUIRIES ONLY !