Xavier's Security Post
Monday, October 02, 2006
Developers and Disclosure -UPDATE
Someone got in contact with me, and whoever it was thanks! I was very interested in how that all went down :)
So it appears the MySpace source code was posted by a separate security researcher who discovered the source code in diagnostic error messages. He uploaded to that ShortText site and thats a wrap. The code, as I speculated, is quite old. It turns out, as the anonymous source noted, the cookie structure is quite different than the old one parsed in the user.session source posted below.
Thanks!
OLD POST =================================== BELOW
A few months ago I had emailed security@myspace.com concerning a security vulnerability with their embedded flash objects. Two separate staffers at the company emailed me back asking about the vulnerability. They took my disclosure and information and vanished. Thus they ceased communication with me, and fixed the mentioned holes. Thats the end of the story right? Wrong.
A simple Google'ing yielded an interesting page. It turns out one of the guys who contacted me actually pasted a MySpace.com coldfusion script on a public web site called ShortText. The script is titled user.session and contains several pieces of information that can be sensitive.
After a quick read we note a few things:
From the looks of it the cookie structure is something like this:
A determined attacker can do several things--encrypt an arbitrary cookie using several schemes present and accessible to ColdFusion and .Net the likes of RC5, 3DES, AES etc, then base64 the output and compare the hash to actual MySpace cookies. Somewhere along the line you'll figure out other parts to the attack, or give up. An attacker could also pose as the codes "Author" and contact the "Debug" guy and play a game. Can you social engineer a MySpace developer? ¶ 10/02/2006 12:51:00 PM 0 comments
So it appears the MySpace source code was posted by a separate security researcher who discovered the source code in diagnostic error messages. He uploaded to that ShortText site and thats a wrap. The code, as I speculated, is quite old. It turns out, as the anonymous source noted, the cookie structure is quite different than the old one parsed in the user.session source posted below.
Thanks!
OLD POST =================================== BELOW
A few months ago I had emailed security@myspace.com concerning a security vulnerability with their embedded flash objects. Two separate staffers at the company emailed me back asking about the vulnerability. They took my disclosure and information and vanished. Thus they ceased communication with me, and fixed the mentioned holes. Thats the end of the story right? Wrong.
A simple Google'ing yielded an interesting page. It turns out one of the guys who contacted me actually pasted a MySpace.com coldfusion script on a public web site called ShortText. The script is titled user.session and contains several pieces of information that can be sensitive.
After a quick read we note a few things:
- a) Author: TheBoz(Keith Boster)
b) Orig Date: 12/23/03
c) A person by the name of "Kevin" did the debugging work, and his email is: kfreund@myspace.com
d) The internal CF server IP (10.20.0.153), Port number (1890) and message ("#userLogin.UserID#,1,#displayonlinestatus#")
From the looks of it the cookie structure is something like this:
- UserID|UserType|Permissions|UserEmail|UserFirstName|LastClick|HideStatus
- UserID: This value is the integer each account is given upon registration.
UserType: This value distinguishes your status on MySpace. The following values are from the script itself:
2 = Regular User
5 = Group
4 = Moderator and/or Paid User
6 = Power User
7 = Band
A determined attacker can do several things--encrypt an arbitrary cookie using several schemes present and accessible to ColdFusion and .Net the likes of RC5, 3DES, AES etc, then base64 the output and compare the hash to actual MySpace cookies. Somewhere along the line you'll figure out other parts to the attack, or give up. An attacker could also pose as the codes "Author" and contact the "Debug" guy and play a game. Can you social engineer a MySpace developer? ¶ 10/02/2006 12:51:00 PM 0 comments