April to See Month of MySpace Bugs

An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"

MySpace's Microsoft-backed infrastructure.

[Anonymous Coward]

This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003 [netcraft.com]. While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.

Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applications, and found them to be quite terrible. I don't know if it's a problem with the developers of these products, but those that we tried were full of obvious security holes. Our past development was using WebObjects, and we saw nowhere near the number of obvious flaws that we saw with the ASP-based solutions, even when we had interns developing code.

My personal experience with ASP is fairly limited, but I suspect it may just be the technology itself that hinders secure development. It's much the same case for PHP. With such technologies, there are too many little details and flaws that even an expert programmer can become overwhelmed by. At least we decided to go with a Java-based solution running on Solaris. It's probably not perfect, but I'd wager that it's far more secure than most ASP- or PHP-based web apps.

Myspace allows XXS redirect for malware execution

[Anonymous Coward]

I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html [x.x.x], and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.

The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.

The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.

What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.

It's not cool, it's not funny, and I wish these assholes would just knock it off.

They should grow up already.

Re:I thought...

[Mr Z]

Hint: That "login page" was really a phishing page.

Re:well

[dominion]

A decentralized social network would be nifty, but OpenID definitely isn't one.

I'm working on it... [sourceforge.net] and the plan is to use OpenID for authentication.