.comment-link {margin-left:.6em;}
Xavier's Security Post
Monday, October 02, 2006
  Developers and Disclosure -UPDATE
Someone got in contact with me, and whoever it was thanks! I was very interested in how that all went down :)

So it appears the MySpace source code was posted by a separate security researcher who discovered the source code in diagnostic error messages. He uploaded to that ShortText site and thats a wrap. The code, as I speculated, is quite old. It turns out, as the anonymous source noted, the cookie structure is quite different than the old one parsed in the user.session source posted below.


OLD POST =================================== BELOW
A few months ago I had emailed security@myspace.com concerning a security vulnerability with their embedded flash objects. Two separate staffers at the company emailed me back asking about the vulnerability. They took my disclosure and information and vanished. Thus they ceased communication with me, and fixed the mentioned holes. Thats the end of the story right? Wrong.

A simple Google'ing yielded an interesting page. It turns out one of the guys who contacted me actually pasted a MySpace.com coldfusion script on a public web site called ShortText. The script is titled user.session and contains several pieces of information that can be sensitive.

After a quick read we note a few things:Paradox stated an attacker could potentially elevate their user access to PowerUser if two things could be discovered: the "encKey" value and the encryption method.

From the looks of it the cookie structure is something like this:The following is an attempt at explaining the important values:We can speculate, by reading the disclosed user.session source, that the cookie can be manipulated into elevating a users account from regular user to power user, or even moderator. It must be noted that the script was uploaded some time ago so we're only able to critique a potentially obsolete script.

A determined attacker can do several things--encrypt an arbitrary cookie using several schemes present and accessible to ColdFusion and .Net the likes of RC5, 3DES, AES etc, then base64 the output and compare the hash to actual MySpace cookies. Somewhere along the line you'll figure out other parts to the attack, or give up. An attacker could also pose as the codes "Author" and contact the "Debug" guy and play a game. Can you social engineer a MySpace developer?
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /