Forgot your password?
typodupeerror
The Internet Security

April to See Month of MySpace Bugs 165

Posted by Zonk
from the next-up-a-month-of-teddy-bear-bugs dept.
An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"
This discussion has been archived. No new comments can be posted.

April to See Month of MySpace Bugs

Comments Filter:
  • by Anonymous Coward on Sunday March 18, 2007 @06:31PM (#18396909)
    You'd think they'd do a year of MySpace bugs.
  • It's like PMS, but all month long !
  • Just goes to show you once software has enough of a user base to make it profitable to exploit bugs, people will start finding them.
    • Re:well (Score:5, Interesting)

      by Omnifarious (11933) * <eric-slashNO@SPAMomnifarious.org> on Sunday March 18, 2007 @06:53PM (#18397037) Homepage Journal

      Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.

      Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID [openid.net]. Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).

      • by bconway (63464) *
        Which is all the more reason to make sure that no software ever has a really huge user base.

        Maybe they should introduce some bugs to slow the user base growth.
      • Re: (Score:3, Interesting)

        by natrius (642724)
        Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID.

        How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs [facebook.com] that let you access their friend data.
        • by mdwh2 (535323)
          How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

          OpenID means you can comment on other people's blogs/pages without getting a log-in or doing so anonymously.
        • How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

          Because you could add someone as a MySpace friend without them having to have a MySpace account if MySpace implemented OpenID. If you just gave a list of OpenID URLs that had friend-type permission for your MySpace account and assigned them your own names then I think people would feel m

          • If you just gave a list of OpenID URLs that had friend-type permission for your MySpace account and assigned them your own names then I think people would feel much less compelled to build a home on MySpace just so they could interact with a friend who had a home there

            And now we know why none of the "social networking" sites will ever adopt this.
        • Re: (Score:3, Informative)

          by dominion (3153)
          A decentralized social network would be nifty, but OpenID definitely isn't one.

          I'm working on it... [sourceforge.net] and the plan is to use OpenID for authentication.
        • by mkosmo (768069) *
          How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

          However, Facebook's API better be damn secure (and not needing even a week of bugs) or else a lot of people would be mighty ticked off. Especially these people that think that stuff on their social networking profile is private and secure. Maybe somebody should let them know that the in
      • Am I the only one who thinks MySpace's UI is incredibly ugly and poorly-put-together?

        And why is it that as of a couple years ago everyone is "in your extended network?" Is there even an "extended network" anymore?
        • by Kraeloc (869412)
          It's because Tom, in his infinite genius, set himself as a default friend of all new users. And most users are too damn stupid to remove him. And since EVERYONE is friends with Tom, everyone is in the same extended network. It renders that feature completely useless, and is a good indicator of the amount of though they actually put into the design.
        • by parkrrrr (30782)

          Am I the only one who thinks MySpace's UI is incredibly ugly and poorly-put-together?

          Nope. It's about the worst-written thing on the Internet today.

          Just try writing your own CSS for your profile page. There's no consistent use of classes or IDs, what classes there are are named for their default formatting characteristics rather than their usage (e.g. "whitetext12"), the whole thing is made up of generically-named or anonymous nested tables to an extent that would have made even a mid-nineties "web

  • by Anonymous Coward on Sunday March 18, 2007 @06:44PM (#18396983)
    Bugtrack announced that on May first, they will start their 200th consecutive month of Microsoft bugs, give them a nice applause!
  • Once they post the bugs, until they get fixed, we'll get this message: "Sorry! an unexpected error has occurred. This error has been forwarded to MySpace's technical group." Remember when the music player [slashdot.org] was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...
    • by quanticle (843097)
      >>Remember when the music player was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...<<

      Not necessarily. The music player was quickly patched because a vulnerability in the music player made it possible to download (read: pirate) music. Its comparable to the DRM vulnerability that Microsoft fixed in three days and issued an out-of-cycle patch for. The bugs uncovered by this project are likely to be more mundane bugs that won't be patched so quickly.
  • by Anonymous Coward
    This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003 [netcraft.com]. While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.

    Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applicat
    • Re: (Score:2, Interesting)

      by DrSkwid (118965)
      Windows is a twisty maze of passages, all alike, all leaking information.
      Root/Administrator is a design flaw.
      All the platforms you mention have holes in them.

      And PHP is a crock, steer well clear. See http://www.php-security.org/ [php-security.org]

      • There are 11 types of people in the world, those who know binaries and those who don't.

        At the risk of being labeled a pedant, that joke is only funny if you use 'binary' instead of 'binaries'; those are different things. It's almost like people who 'duel' boot their computers or ask you to 'bare' with them, except those are unintentionally funny. Homophonic Joke ----> O -+- | - Product of American Public Education / \ "Obviously, the 'Three R's' don't include spelling."

        • I could be categorizing myself into the not-understanding group here but 11 in binary is 3 in decimal. GP's sig only lists two. /shrug
      • All platforms have holes in them.
    • According to Netcraft, MySpace uses IIS 6 on Windows Server 2003.

      You may be right about MySpace using Windows, but remember, all Netcraft can really tell you is what technology they use to face the Interweb. What really runs the MySpace machine may be quite different. Could be squirrels, for all Netcraft can really tell. But you're probably right...

      • by dave562 (969951)
        Given the number of MS SQL server errors I saw a year or two ago, it's pretty safe to assume that they are running on an MS backend.
  • Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall, but I imagine anyone on the receiving end wouldn't find it funny at all, even if the recipient is some 1337 hax0r. At the most extreme end, humans are vulnerable to failure when a bullet is put through the head, but rational people agree that we don't approve of exploiting that vulnerability for fun and profit.

    Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal. There
    • Re: (Score:3, Insightful)

      by QuantumG (50515) *
      Because they claim they are secure. It's like if someone was to build a big fence around their property, place armed guards, security cameras, attack dogs, and then boast in a local newpaper that they are secure.. you'd have a nice good laugh if it turns out their cleaning lady stole their diamonds.
      • Re: (Score:3, Insightful)

        by robla (4860) *
        I might experience a little schadenfreude, but I also would happily approve of the cleaning lady being thrown into the clink.
    • Re: (Score:2, Informative)

      Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.

      The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.

      The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for
      • Re: (Score:1, Flamebait)

        by QuantumG (50515) *
        Or, ya know, you could write code without security issues already. Most "wall of shame" sites are exactly that. The message is: these guys are idiots, switch to someone else as quickly as possible.
        • Re: (Score:2, Insightful)

          It has been long established that it is simply NOT POSSIBLE to write software without bugs.

          The best that any developer can hope for is to find the bugs quickly and remove them.

          Stunts like this only serve to attack a development project without doing anything productive to help fix it.

          Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".

          They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.

          And it IS perfectly arbitrary
          • by QuantumG (50515) * <qg@biodome.org> on Sunday March 18, 2007 @08:20PM (#18397415) Homepage Journal
            Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.
            • But you forget.

              This is not the only "month of X bugs" that has happened.

              The others were ALL about one or another software package.

              I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.

              • by QuantumG (50515) *
                If you work in the security industry sure.. if you're a user who feels they are getting poor service you yell it from the rooftops. Think about it this way.. if you found out your keyless entry system to your car was broken and any idiot could get into your car with a $2 transmitter, would you go quietly to the company and help them "mitigate" the damage or would you send this information to your local newspaper or current affairs show so they can tell as many people as possible to steer clear of this manu
                • In response to your analogy, NO, I wouldn't tell the whole world about it. I'd figure out a way to FIX it, like finding a local shop that can replace the keyless entry system, and THEN, I'd tell everybody how to go to the shop and fix their systems. I'd give them SOME information, for instance telling them about how it's possible to steal a car with equipment available to thieves, but I would NOT tell them enough to let them go get a transmitter of their OWN.

                  Reason being: the object is to SOLVE the problem,
                  • by QuantumG (50515) *
                    And while you're solving the motor companies problems for them, they'll be sure to put a lot of effort into making sure it never happens again, right?

                    Have you ever stopped to think that maybe all this do-gooding attitude is the reason why computer security is so bad? You're just co-conspirators.
                    • by QuantumG (50515) *
                      You're the assholes who keep buying the same software every year even though it has big fat flaws in it and better alternatives exist.

                    • by QuantumG (50515) *
                      You talk like a prick. Sound like a prick. Have the point of view of a prick. Claiming to be superiour because it's your job doesn't mean anything. You could be just lying for all we know. I bet you anything you can't make a rational argument if you tried, so to me, you ARE a prick.

                      The fundamental disconnect here is that you think you're so important because you "work the problem" as you say. My argument (you know, the part of discussion that is productive) is that the problem isn't people breaking into yo
                  • Sometimes increasing the magnitude of the problem is the only way to solve it, because some businesses won't bother to do anything unless the problem is widespread. Will the company do anything if it only affects 0.1% of customers? Probably not, but it's a pretty shitty situation for the people in the 0.1%.
                    • ... you should never EVER ...
                      Never use absolutes, because they are always wrong. Would you care to explain how you would go about writing your own patch for a closed-source system? Hell, suppose the exploit is in some network device which employs signed firmware. Even if you could write a patch, you couldn't apply it.
              • basically these "month of x bugs" are free security audits. i'd much rather have someone finding vulnerabilities in my code and saying something, even if it's public, than some one else finding 30 vulnerabilities and owning me over and over.
      • Re: (Score:3, Insightful)

        by Watson Ladd (955755)
        The point is to put pressure on an unresponsive vendor or one with a bad track record to improve. And if you have insecure products on a network you deserve getting hacked. OpenBSD/RBASC are free, and they are never attacked successfully. Attackers are part of the internet environment now, and complaining about it is like complaining about rain making your expensive suit wet when you forgot an umbrella. Sure, it might be expensive to be secure, but that's the tradeoff, and it is not going to change.
        • The problem with your point of view is that you aren't hurting the VENDOR, you're hurting his CUSTOMERS who have done you (and the world) no harm.

          The vendor isn't the primary entity harmed because he's already got his license fee from each customer. Also, it's not the vendor that will be attacked by script kiddies, it'll be his customers, who, again, have done you no harm.

          The most you'll do to the vendor is give him a little bad P.R. Vendors don't care. They just hire a P.R. firm to "manage spin". The peopl
          • by dave562 (969951)
            As a sysadmin, I can take every precaution available to me, I can take every vendor-mandated step... Despite all that, all it takes is for some idiot to whip up a "month of bugs" and blammo, I'm hosed. All because some annoying little bastard wants to attention-whore out his new "security site".

            So let me get this straight... all it takes is a few moments of you not staying up with the cutting edge of security research and your site might get owned? Whoa there turbo! Stop the presses!! Say it ain't so.

            Ha

      • by jamesh (87723)

        It's not cool, it's not funny, and I wish these assholes would just knock it off.

        The curious thing is, if you created a tv program out of it, and added silly sound effects and a silly voiceover, it would be funny. If funniest home video's has taught us nothing else, it has at least taught us that pain and misfortune is funny when it happens to other people.

        If it was my application under the spotlight it would be a complete different matter...
      • by DrSkwid (118965)
        Most of the Month of X Bug websites seen recently already did that stuff and nothing happened.

        This one : http://www.php-security.org/ [php-security.org] was even done by an ex-member of the PHP security team because they weren't taking him seriously.
        • Uh huh. SURE they did.

          What's really happening here is, things are easier to break than to fix. So a bunch of guys can figure out 30 snarky ways of breaking something, slap together a website, and try to get some attention by attempting to publicly humiliate whatever vendor has pissed them off most recently. They don't think for an instant about what's going to happen when script kiddies start using the ACTUAL EXPLOIT CODE they publish to attack every website under the sun. Or maybe they do -- but that only
          • by dave562 (969951)
            So some guy in Wichita has a website that runs PhP, and his ISP hasn't updated quickly enough, and he's hacked by some schmuck script kiddie who's bored -- all through no fault of his own or even his ISP's.

            No fault of his ISP's? If PHP had MS style Automagic Updates then staying up to date wouldn't be a problem. It is completely the fault of the ISP for not staying up to date with the patches. If you are in the business of providing software to users then you are in the business of keeping that software

        • Whilst he's a very good security researcher, Stefan Esser has a reputation for being very hard to work with.

          He claims that month of PHP bugs was created because he couldn't get the fixes into PHP. Whilst this may be true for PHP, he recently announced a vulnerability in mod_security [modsecurity.org] complete with P.O.C code as part of MOPB. This had nothing to do with PHP, and Esser didn't bother to notify the mod_security team before releasing it [modsecurity.org].
      • MySpace is a piece of shit. It really is. They are sailing on an enormous userbase and haven't done a damn thing with the site. They are fat and lazy.

        Let them squirm a little while. Will you suffer? No. Will anyone other than MySpace's fifty employees suffer? No. Will they suffer for more than a month? No.

        Relax, chief.
        • Look, I couldn't care less about MySpace. I don't use or read the site.

          My problem is that these "month of X bugs" are coming out for lots of vendors and platforms that in turn serve a WHOLE lot of companies and websites.

          This trend is a rotten, rotten idea.

          You don't get people to wear bulletproof vests by giving free Saturday Night Specials to every degenerate who wants one.

          The whole practice stinks.

          • by StarKruzr (74642)
            so you're more criticizing the practice in general than MySpace as a target.

            Fair enough. What is the proper way to go about getting big vendors like this to fix their security holes, then? If someone with a generally white-hat motivation doesn't do it, someone less benevolent will eventually.
      • by Nazlfrag (1035012)
        It's simple. A known exploit is much less dangerous than an unknown one. Security by obscurity is an invalid tactic.
      • by dave562 (969951)
        The script kiddies already own MySpace. At this point I see the Month of Myspace Bugs as a good reference for EVERYONE ELSE who uses MySpace and who might be holding onto some false notion that the site is actually secure or safe to use. I have "fixed" more Windows boxen than I care to admit to and the one thing that they all have in common is MySpace. MySpace is simply the breeding ground for new exploit code. I have seen computers that have withstood the nastiest browser exploits and malware infection
    • by Threni (635302)
      > Why is it "funny" to exploit security bugs?
      > Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall,
      > Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal.

      I'd take issue with your analogy. Defacing a website is nothing like defacing someone's home. For one thing, it's not someone's home. It's almost as bad as the old "you wouldn't steal a car, so why would you download a stream of numbers via tcp/ip?" argument al
      • Your garage then. You don't live there (though I don't see why you think that's relevant). It just costs you a little time and money to paint over afterwards. I don't see how being on a computer or on the Internet is magically different.

        And this is not like taking v. copying. This is doing direct, visible damage v. doing direct, visible damage. If this was a manuscript I was writing you'd (I assume) say 'yeah, it's wrong for them to burn it', but if it's an electronic manuscript, suddenly destroying it is

    • I think it's more like breaking into someone's home and rearranging the furniture.

      It's a nuisance, but not irreparable.

      - RG>
  • by Anonymous Coward on Sunday March 18, 2007 @07:00PM (#18397075)
    I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html [x.x.x], and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!
  • 'It's funny but it's not a joke.'"

    Then launch it on April 2. April 1 is a Sunday anyway, and some hax0rz actually do toil thee not on their Sabbath.
  • by sfjoe (470510) on Sunday March 18, 2007 @07:13PM (#18397121)
    I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
    If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

    • Their entire business model is basically to get other people to generate cool stuff and then put their ads next to it.

      Restricting myspace in anyway would quickly lead to less interesting stuff and thus less ad revenue.
  • Users post personal data for identity thieves to download.

    After that, all other "bugs" are 100% irrelevant, anything you would want to hack it already willingly posted. So a big fat security *yawn* on this one.

    • by pagerwho (1071772)
      *Sigh* when will people learn. MySpace is highly susceptible to hacking, and the distribution of malware. Security does not end at personal information, security is cracking down on spam, cracking down on scripts, and ultimately making it safe to browse.

      I personally have discovered viruses being distributed using MySpace, would one consider this secure? I certainly don't. Last time I check MySpace has no code to protect against scripts that create user accounts and spam the living daylights out of every
  • by Anonymous Coward on Sunday March 18, 2007 @07:21PM (#18397153)
    Status: OLD

    Severity: Major

    Reproducible: Always

    Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

    Solution: Delete Myspace.
    • If they truly were emo, they wouldn't be cutting. Replace emo with whiny.
    • Status: OLD

      Severity: Major

      Reproducible: Always

      Description: MySpace is like an ugly hooker; you wonder how she gets so much action when she's so hideous.

      Solution: Bring the web designer from the 90's back to the present. Will need: flux capacitor, 1.21 jigawatts.
    • Actually, LiveJournal's cornered the market on emo kids. MySpace is more about the people who give the emo kids wedgies.

  • but... (Score:5, Funny)

    by netdur (816698) on Sunday March 18, 2007 @07:25PM (#18397179) Homepage
    myspace itself is a bug
  • by Anonymous Coward
    Can someone tell me why, after all this time, a website as popular as MySpace is still rampant with bugs? I mean.. wouldn't the majority of them be fixed by now, considering how much profit MySpace makes?

    And no I don't use MySpace...
  • by mdboyd (969169)
    My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all. A lot of the scams I see users getting caught up in on MySpace are basic Phishing scams that trick them into downloading executable files which infect their machines. Sometimes making something too easy to do is a bad thing. While some of the blame probably lies with MySpace and lack of user safety (I can't make any claims because I don't use the service), it's ultimately up to
    • by maxume (22995)
      Also, there should be more intelligence testing before we let people read books. Stupid people might make some bad conclusions or something.
    • by mdwh2 (535323)
      My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all.

      And there was me thinking that it's better to use existing tools than to reinvent the wheel (not that I think MySpace is a good tool, but that's another matter).
    • by uqbar (102695)
      While the snotty attitude works on slashdot, in the real world intelligent, but not terribly tech savvy people have real uses for this technology. There are lots of similar sites that don't have the massive number of XSS exploits and related scams you see on MySpace. It's mind boggling that they haven't figured out how to even come close to shoring up these problems.

      And when someone spots XSS redirects on an account, you'd think that all links to the phishing page would be cleaned up - but I've seen the s
  • I thought every month was the month of myspace bugs.
    • Re: (Score:2, Funny)

      by UbuntuDupe (970646) *
      That's been my feeling as well. Someone sent me a link to someone's myspace site a few months back, and when I got there, someone had just completely trashed the page. Everything was just strewn all over the place without any rhyme or reason. Whoever defaced the site also made some crappy music download and play whether you wanted to hear it or no and with no obvious way to silence it. If you clicked on a link to go anywhere, it would for some reason just take you to a login screen. WTF?

      I hope that got
      • Re: (Score:1, Informative)

        by Mr Z (6791)
        Hint: That "login page" was really a phishing page.
  • Am I the only person thinking April Fool's? Imagine all the traffic these guys could generate with the myspace hordes hammering their site on apr. 1 trying to learn how to hax their ex girlfriend's accounts and what could potentially be done from there.. Obviously it's just speculation...but *shrug*
  • I think it is discriminatory to post this story on Slashdot: any comments from your "average" MySpace user will likely get modded "-1 Incomprehensible".

    - RG>
  • What about the "bug" wherein bots send spam friend requests (usually, the bot is a female with links to AdultFriendFinder in her profile, and the recipient is male)? What is Tom doing about that? Because I get one of those about every day.
  • by britneys 9th husband (741556) on Sunday March 18, 2007 @11:21PM (#18398339) Homepage Journal
    127.0.0.1 myspace.com
  • Isn't this sort of like trying to amputate legs from a four-legged duck?
  • popular sites are.. At least it's only going to be for "fun" and not a real attack.. The web only appears safe, as the hackers have found better ways to cause havoc, then giving people viruses that destroy there data. I think this is going to be an interesting wakeup call to all the sites and users of that site. People should not be misled, as it's not just the security of the website that is being compromised, it is the personal computers too. People need to face the fact that just typing in a url and pres

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...