Developers and Disclosure -UPDATE
Someone got in contact with me, and whoever it was thanks! I was very interested in how that all went down :)
So it appears the MySpace source code was posted by a separate security researcher who discovered the source code in diagnostic error messages. He uploaded to that ShortText site and thats a wrap. The code, as I speculated, is quite old. It turns out, as the anonymous source noted, the cookie structure is quite different than the old one parsed in the user.session source posted below.
OLD POST =================================== BELOW
A few months ago I had emailed firstname.lastname@example.org concerning a security vulnerability with their embedded flash objects. Two separate staffers at the company emailed me back asking about the vulnerability. They took my disclosure and information and vanished. Thus they ceased communication with me, and fixed the mentioned holes. Thats the end of the story right? Wrong.
A simple Google'ing
yielded an interesting page. It turns out one of the guys who contacted me actually pasted a MySpace.com coldfusion script on a public web site called ShortText
. The script is titled user.session
and contains several pieces of information that can be sensitive.
After a quick read we note a few things:
a) Author: TheBoz(Keith Boster)Paradox
b) Orig Date: 12/23/03
c) A person by the name of "Kevin" did the debugging work, and his email is: email@example.com
d) The internal CF server IP (10.20.0.153), Port number (1890) and message ("#userLogin.UserID#,1,#displayonlinestatus#")
stated an attacker could potentially elevate their user access to PowerUser if two things could be discovered: the "encKey" value and the encryption method.
From the looks of it the cookie structure is something like this:
The following is an attempt at explaining the important values:
UserID: This value is the integer each account is given upon registration.
UserType: This value distinguishes your status on MySpace. The following values are from the script itself:
2 = Regular User
5 = Group
4 = Moderator and/or Paid User
6 = Power User
7 = Band
We can speculate, by reading the disclosed user.session source, that the cookie can be manipulated into elevating a users account from regular user to power user, or even moderator. It must be noted that the script was uploaded some time ago so we're only able to critique a potentially obsolete script.
A determined attacker can do several things--encrypt an arbitrary cookie using several schemes present and accessible to ColdFusion and .Net the likes of RC5, 3DES, AES etc, then base64 the output and compare the hash to actual MySpace cookies. Somewhere along the line you'll figure out other parts to the attack, or give up. An attacker could also pose as the codes "Author" and contact the "Debug" guy and play a game. Can you social engineer a MySpace developer?