Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

April to See Month of MySpace Bugs

Posted by Zonk on Sun Mar 18, 2007 05:30 PM
from the next-up-a-month-of-teddy-bear-bugs dept.
The Internet Security
An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

April to See Month of MySpace Bugs 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • But April only has 30 days (Score:5, Insightful)

    by Anonymous Coward on Sunday March 18 2007, @05:31PM (#18396909)
    You'd think they'd do a year of MySpace bugs.
  • It's like PMS, but all month long !

  • In other news (Score:3, Funny)

    by Anonymous Coward on Sunday March 18 2007, @05:44PM (#18396983)
    Bugtrack announced that on May first, they will start their 200th consecutive month of Microsoft bugs, give them a nice applause!

  • MySpace's Microsoft-backed infrastructure. (Score:2, Informative)

    by Anonymous Coward
    This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003 [netcraft.com]. While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.

    Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applicat

    • Re: (Score:2, Interesting)

      by DrSkwid (118965)
      Windows is a twisty maze of passages, all alike, all leaking information.
      Root/Administrator is a design flaw.
      All the platforms you mention have holes in them.

      And PHP is a crock, steer well clear. See http://www.php-security.org/ [php-security.org]

    • According to Netcraft, MySpace uses IIS 6 on Windows Server 2003.

      You may be right about MySpace using Windows, but remember, all Netcraft can really tell you is what technology they use to face the Interweb. What really runs the MySpace machine may be quite different. Could be squirrels, for all Netcraft can really tell. But you're probably right...

  • Myspace allows XXS redirect for malware execution (Score:4, Informative)

    by Anonymous Coward on Sunday March 18 2007, @06:00PM (#18397075)
    I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html [x.x.x], and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!
  • 'It's funny but it's not a joke.'"

    Then launch it on April 2. April 1 is a Sunday anyway, and some hax0rz actually do toil thee not on their Sabbath.

  • clown shoes security? (Score:5, Insightful)

    by sfjoe (470510) on Sunday March 18 2007, @06:13PM (#18397121)
    I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
    If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

  • Users post personal data for identity thieves to download.

    After that, all other "bugs" are 100% irrelevant, anything you would want to hack it already willingly posted. So a big fat security *yawn* on this one.

  • Bug Filing Number 1 (Score:5, Funny)

    by Anonymous Coward on Sunday March 18 2007, @06:21PM (#18397153)
    Status: OLD

    Severity: Major

    Reproducible: Always

    Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

    Solution: Delete Myspace.

  • but... (Score:5, Funny)

    by netdur (816698) on Sunday March 18 2007, @06:25PM (#18397179) Homepage
    myspace itself is a bug
  • 127.0.0.1 myspace.com

    • Re:well (Score:5, Interesting)

      by Omnifarious (11933) * on Sunday March 18 2007, @05:53PM (#18397037) Homepage Journal

      Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.

      Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID [openid.net]. Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).

      • Which is all the more reason to make sure that no software ever has a really huge user base.

        Maybe they should introduce some bugs to slow the user base growth.

      • Re: (Score:3, Interesting)

        by natrius (642724)
        Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID.

        How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs [facebook.com] that let you access their friend data.

        • How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

          Because you could add someone as a MySpace friend without them having to have a MySpace account if MySpace implemented OpenID. If you just gave a list of OpenID URLs that had friend-type permission for your MySpace account and assigned them your own names then I think people would feel m

        • Re: (Score:3, Informative)

          by dominion (3153)
          A decentralized social network would be nifty, but OpenID definitely isn't one.

          I'm working on it... [sourceforge.net] and the plan is to use OpenID for authentication.
        • How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

          However, Facebook's API better be damn secure (and not needing even a week of bugs) or else a lot of people would be mighty ticked off. Especially these people that think that stuff on their social networking profile is private and secure. Maybe somebody should let them know that the in
      • Am I the only one who thinks MySpace's UI is incredibly ugly and poorly-put-together?

        And why is it that as of a couple years ago everyone is "in your extended network?" Is there even an "extended network" anymore?

    • Re: (Score:3, Insightful)

      by QuantumG (50515) *
      Because they claim they are secure. It's like if someone was to build a big fence around their property, place armed guards, security cameras, attack dogs, and then boast in a local newpaper that they are secure.. you'd have a nice good laugh if it turns out their cleaning lady stole their diamonds.

      • Re: (Score:3, Insightful)

        by robla (4860) *
        I might experience a little schadenfreude, but I also would happily approve of the cleaning lady being thrown into the clink.

    • Re: (Score:2, Informative)

      by SadGeekHermit (1077125)
      Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.

      The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.

      The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for

      • Re: (Score:3, Insightful)

        by Watson Ladd (955755)
        The point is to put pressure on an unresponsive vendor or one with a bad track record to improve. And if you have insecure products on a network you deserve getting hacked. OpenBSD/RBASC are free, and they are never attacked successfully. Attackers are part of the internet environment now, and complaining about it is like complaining about rain making your expensive suit wet when you forgot an umbrella. Sure, it might be expensive to be secure, but that's the tradeoff, and it is not going to change.

      • It's not cool, it's not funny, and I wish these assholes would just knock it off.

        The curious thing is, if you created a tv program out of it, and added silly sound effects and a silly voiceover, it would be funny. If funniest home video's has taught us nothing else, it has at least taught us that pain and misfortune is funny when it happens to other people.

        If it was my application under the spotlight it would be a complete different matter...
      • Most of the Month of X Bug websites seen recently already did that stuff and nothing happened.

        This one : http://www.php-security.org/ [php-security.org] was even done by an ex-member of the PHP security team because they weren't taking him seriously.
        • Whilst he's a very good security researcher, Stefan Esser has a reputation for being very hard to work with.

          He claims that month of PHP bugs was created because he couldn't get the fixes into PHP. Whilst this may be true for PHP, he recently announced a vulnerability in mod_security [modsecurity.org] complete with P.O.C code as part of MOPB. This had nothing to do with PHP, and Esser didn't bother to notify the mod_security team before releasing it [modsecurity.org].
        • It has been long established that it is simply NOT POSSIBLE to write software without bugs.

          The best that any developer can hope for is to find the bugs quickly and remove them.

          Stunts like this only serve to attack a development project without doing anything productive to help fix it.

          Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".

          They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.

          And it IS perfectly arbitrary
          • Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.
            • But you forget.

              This is not the only "month of X bugs" that has happened.

              The others were ALL about one or another software package.

              I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.

              • If you work in the security industry sure.. if you're a user who feels they are getting poor service you yell it from the rooftops. Think about it this way.. if you found out your keyless entry system to your car was broken and any idiot could get into your car with a $2 transmitter, would you go quietly to the company and help them "mitigate" the damage or would you send this information to your local newspaper or current affairs show so they can tell as many people as possible to steer clear of this manu
                  • And while you're solving the motor companies problems for them, they'll be sure to put a lot of effort into making sure it never happens again, right?

                    Have you ever stopped to think that maybe all this do-gooding attitude is the reason why computer security is so bad? You're just co-conspirators.
          • so you're more criticizing the practice in general than MySpace as a target.

            Fair enough. What is the proper way to go about getting big vendors like this to fix their security holes, then? If someone with a generally white-hat motivation doesn't do it, someone less benevolent will eventually.

      • Your garage then. You don't live there (though I don't see why you think that's relevant). It just costs you a little time and money to paint over afterwards. I don't see how being on a computer or on the Internet is magically different.

        And this is not like taking v. copying. This is doing direct, visible damage v. doing direct, visible damage. If this was a manuscript I was writing you'd (I assume) say 'yeah, it's wrong for them to burn it', but if it's an electronic manuscript, suddenly destroying it is

    • That's been my feeling as well. Someone sent me a link to someone's myspace site a few months back, and when I got there, someone had just completely trashed the page. Everything was just strewn all over the place without any rhyme or reason. Whoever defaced the site also made some crappy music download and play whether you wanted to hear it or no and with no obvious way to silence it. If you clicked on a link to go anywhere, it would for some reason just take you to a login screen. WTF?

      I hope that got
    • >>Remember when the music player was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...<<

      Not necessarily. The music player was quickly patched because a vulnerability in the music player made it possible to download (read: pirate) music. Its comparable to the DRM vulnerability that Microsoft fixed in three days and issued an out-of-cycle patch for. The bugs uncovered by this project are likely to be more mundane bugs that won't be patched so quickly.
      • Recall the recent quote-unquote "cross-site" exploits stealing info. Although some people blamed things like form autofill, the real problem was that the server name was the same, so the pages created by separate people, which should have been cordoned off from each other, were under the same hostname and therefore the same website for all intents and purposes. I recall LiveJournal having problems like this, which were solved in part by making each user page a subdomain. I suppose this really isn't a "monoc

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.