MySpace: bulletin and other spam25 Oct 2006
MySpace is a vast collection of web real estate begging to be spammed. I keep receiving spam bulletins from some of my MySpace friends, so this is a little explanation of what MySpace spam is and how it can be fixed:
Tricks used by MySpace spammers
Trick #1: hidden bulletin post form
As described by ericis.com, MySpace did not protect the bulletin submission page enough. Bulletins could be sent by an unsuspecting logged-in user through a hidden form, instead of only through the official submission form. So you might click on what seems to be just a link to a site/profile, but you are really sending a bulletin to all your friends. This mail might invite them to click on a link which hides another hidden form and …
STATUS: This vulnerability has been addressed by MySpace, but whether it is completely fixed is another question.
Trick #2: man-in-the-middle password theft
You click on a link, and you are taken to what seems to be the MySpace login page. “That’s weird“, you think, “I thought I was already logged in, but what the heck“, you give your password and you get to the page you wanted to get to. In reality, the login page was not on a myspace.com server, but on a malicious site (they just used the exact same layout) and they now have your password (cf chyna.wordpress.com)! They can now use automated scripts to log in and change your profile, or to send bulletins to all your friends. This password stealing technique is also called ‘phishing’.
That sounds improbable? Well: it costs $15 to send a bulletin to 100k MySpace “Friends”. Where do you think those 100.000 friends come from?
A recent example: Aug 27 2006.
STATUS: the only way to protect against this would be to disable external links. I don’t see that happening, so this is still something to look out for!
Trick #3: Cross-Scripting (XSS) or MySpace worms
As reported by xavsec.blogspot.com, Kuro5hin and namb.la, malicious Flash (SWF) files have been used to infect profiles: you get to a page, the SWF (which might be a visible animation or just hidden) detects that you are logged in on MySpace and uses a non-protected (unsanitized) variable to reset your MySpace name and profile.
The first one of these was the “Samy popularity worm“:
1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it’s exponential, isn’t it. Shit.
STATUS: the known worms are blocked, new ones aren’t.
Trick #4: fake MySpace profile pages
Profile pages that look like a real person (mainly female, young and attractive), but in the ‘Thank you for the add’ comments the links are actually advertising for e.g. webcam sites. You get invited to become their friend and when you check out their profile page, you see the advertising. This could also be combined with any of the 3 above tricks for more damage. (via photomatt.net)
STATUS: if they misbehave too much, their profile might get deleted by MySpace. Otherwise, they’re still around.
The main reason why all this is possible on MySpace and not on most other sites is that
- MySpace has a “everything is allowed except …” security policy for their content checking, instead of a safer “everything is forbidden unless …” approach.
An example: at some point MySpace removed all
<script> tags, but there were
<div id="mycode" expr="alert('hah!')" style="background:url('java<br />
script:eval(document.all.mycode.expr)')"> tricks invented around that. Which MySpace then fixed. MySpace is continuously playing catch-up with inventive hackers.
I actually have some ideas of the hacks we will see in the future (it’s not that hard to predict), but I don’t want to help anyone that would use them, so I’ll just shut up. What I can say is:
- Do you get complaints from your friends about spam bulletins that were sent in your name? Bad sign!
- Check your “Sent” mail. Are there messages there that you did not send? Bad sign!
- Do you see friends on your list that you did not add yourself? Bad sign!
- Change your password: go to your “Account settings” and click “Change Password” (this reverses the effect of #2)
- Clean out your profile: go to your “Edit Profile” page and clean out the “About Me”, “I’d like to meet”, “Interests”, … text boxes. (this reverses the effect of #3)
- Don’t click on links in bulletins. Better still, don’t read your bulletins at all.
- If you unexpectedly get a MySpace login screen, make sure the URL starts with
- So if you use Myspace, use your head. Don’t download or install software from untrusted sources, even those apparently recommended by your friends (Washington Post)
- Only become ‘friends’ with people you know or artists you know. This blonde chick from Houston with 5000 friends is dying to become your buddy? Chances are, “she” might actually look more like Onslow. If that is actually your type, forget I said that.
- Go easy on the profile pimping. If you just take whatever HTML you get from some site and paste it in your profile, that’s like taking a drink from a stranger. Next thing you know you’re screwed.