April to See Month of MySpace Bugs

An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"

But April only has 30 days

You'd think they'd do a year of MySpace bugs.

Re:But April only has 30 days

Wow, looks like someone forgot to check "Post Anonymously".

It's that time of the month again

It's like PMS, but all month long !

Re:It's that time of the month again

I know you are, but what am I?

well

Just goes to show you once software has enough of a user base to make it profitable to exploit bugs, people will start finding them.

Re:well

Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.

Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID [openid.net]. Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).

In other news

Bugtrack announced that on May first, they will start their 200th consecutive month of Microsoft bugs, give them a nice applause!

Bug message...

Once they post the bugs, until they get fixed, we'll get this message: "Sorry! an unexpected error has occurred. This error has been forwarded to MySpace's technical group." Remember when the music player [slashdot.org] was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...

MySpace's Microsoft-backed infrastructure.

This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003 [netcraft.com]. While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.

Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applications, and found them to be quite terrible. I don't know if it's a problem with the developers of these products, but those that we tried were full of obvious security holes. Our past development was using WebObjects, and we saw nowhere near the number of obvious flaws that we saw with the ASP-based solutions, even when we had interns developing code.

My personal experience with ASP is fairly limited, but I suspect it may just be the technology itself that hinders secure development. It's much the same case for PHP. With such technologies, there are too many little details and flaws that even an expert programmer can become overwhelmed by. At least we decided to go with a Java-based solution running on Solaris. It's probably not perfect, but I'd wager that it's far more secure than most ASP- or PHP-based web apps.

Why is it "funny" to exploit security bugs?

Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall, but I imagine anyone on the receiving end wouldn't find it funny at all, even if the recipient is some 1337 hax0r. At the most extreme end, humans are vulnerable to failure when a bullet is put through the head, but rational people agree that we don't approve of exploiting that vulnerability for fun and profit.

Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal. There are plenty of perfectly legal and more effective ways of making a statement about MySpace, if that's the goal. I'm not sure I understand the need to make a statement about it anyway; let's just agree that it's GeoCities 2005 and move on.

Re:Why is it "funny" to exploit security bugs?

Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.

Myspace allows XXS redirect for malware execution

I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html [x.x.x], and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!

Funny / Not Funny

'It's funny but it's not a joke.'"

Then launch it on April 2. April 1 is a Sunday anyway, and some hax0rz actually do toil thee not on their Sabbath.

clown shoes security?

I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

Only one bug....

Users post personal data for identity thieves to download.

After that, all other "bugs" are 100% irrelevant, anything you would want to hack it already willingly posted. So a big fat security *yawn* on this one.

Bug Filing Number 1

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

Solution: Delete Myspace.

but...

myspace itself is a bug

Re:but...

Some complain that the "Month of MySpace Bugs" should have moved to May, so as to avoid the unfortunate collision with the "Stealing Candy from Babies Day".

Question for slashdot

Can someone tell me why, after all this time, a website as popular as MySpace is still rampant with bugs? I mean.. wouldn't the majority of them be fixed by now, considering how much profit MySpace makes?

And no I don't use MySpace...

PEBKAC

My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all. A lot of the scams I see users getting caught up in on MySpace are basic Phishing scams that trick them into downloading executable files which infect their machines. Sometimes making something too easy to do is a bad thing. While some of the blame probably lies with MySpace and lack of user safety (I can't make any claims because I don't use the service), it's ultimately up to users to choose what not to download and run on their computer regardless of what website it's on. I believe the course is title Internet Common Sense 101.

I thought...

I thought every month was the month of myspace bugs.

I'm probably just crazy, but...

Am I the only person thinking April Fool's? Imagine all the traffic these guys could generate with the myspace hordes hammering their site on apr. 1 trying to learn how to hax their ex girlfriend's accounts and what could potentially be done from there.. Obviously it's just speculation...but *shrug*

Discrimination

I think it is discriminatory to post this story on Slashdot: any comments from your "average" MySpace user will likely get modded "-1 Incomprehensible".

- RG>

Spam friend requests

What about the "bug" wherein bots send spam friend requests (usually, the bot is a female with links to AdultFriendFinder in her profile, and the recipient is male)? What is Tom doing about that? Because I get one of those about every day.

Quick easy one line fix for all Myspace bugs

127.0.0.1 myspace.com

We're encouraging fixing MySpace?

Isn't this sort of like trying to amputate legs from a four-legged duck?

Uhh In case you missed it..

popular sites are.. At least it's only going to be for "fun" and not a real attack.. The web only appears safe, as the hackers have found better ways to cause havoc, then giving people viruses that destroy there data. I think this is going to be an interesting wakeup call to all the sites and users of that site. People should not be misled, as it's not just the security of the website that is being compromised, it is the personal computers too. People need to face the fact that just typing in a url and pressing enter, could be asking for a virus.

Is that really enough time?

I'd imagine they could take all of Q2 with this one.

oh okay

Myspace's Tom might be busy updating his Friendster account i might say

Graphical Exploit?

I want them to address the vulnerability which allows people to post pictures which depict themselves as 1o times hotter than they actually are.

Monoculture

What I don't get is the "monoculture" comment. These guys are complaining that all the web servers are using the same software? Or that the different layers are using the same platform? In neither case having a more diverse platform would reduce the number of bugs or make them less serious. That's especially true for cross site scripting exploits and the like. Having two differetn web servers would not reduce the number of exploits or their seriousness, it would actually probably double them and make them more difficult to diagnose. And having heterogeneous layers wouldn't make a difference at all. I just don't get it.