Pete Freitag Pete Freitag

MySpace Hacked with CSRF and XSS

web

It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.

An aquaintance of mine recently managed within 24 hours to become the most popular civilian on myspace with the help of a clever bit of viral javascript imbedded into his myspace page.
By the time myspace shut down their site for a few hours to investigate he had over 1 million requests from unknowing myspace members for him to be listed as their myspace friend.

Because he was able to embed javascript into his profile, that makes it a XSS, or cross site scripting attack. And because he was able to take advantage of a other users login and perform a function on their behalf (by either submitting a form, or calling a url), it was also a CSRF, or cross site request forgery attack.

Too bad back in those days they didn't have xss countermeasures like Content Security Policy headers as we do today. It would have limited the damage.


Like this? Follow me ↯

MySpace Hacked with CSRF and XSS was first published on October 13, 2005.

If you like reading about xss, csrf, or security then you might also like:

Comments

While this sounds like a coding issue more than anything, any idea if MySpace is now on New Atlanta's BlueDragon, or are they still on Macromedia's CF? Part of me can't help but wonder if there's going to be some political finger pointing...
by Dan G. Switzer, II on 10/13/2005 at 1:35:24 PM UTC
These are definitely coding issues, it doesn't really matter that their site is CFML, you could have this problem on any app server.
by Pete Freitag on 10/13/2005 at 1:41:09 PM UTC
I seem to recall saying bad things about MySpace's development techniques a while ago.... Seems things are still kind of sketchy. Not to mention taking down their whole site to investigate.
by Barney on 10/13/2005 at 2:22:21 PM UTC
This might surprise you, but you're one of the few people who can accurately categorize this attack - well done! :-)
by Chris Shiflett on 05/29/2006 at 8:15:20 PM UTC
Problem. He didnt take advantage of your login, since you were already logged in, there was no need to do so. He should of been smart about it and stole all your cookies. Then everyone would be owned.
by A nonymous on 06/19/2006 at 6:51:40 PM UTC
Hello im currently looking for a website designer to build me a web site simuliar to www.myspace.com I'M aware that myspace was built in coldfusion.. please email me back & let me know if you can do this project? MY EMAIL ADD IS levern.green@gmail.com SERIOUS INQUIRIES ONLY !
by levern on 02/04/2007 at 11:38:44 PM UTC