Gone phishing at MySpace: II
p2pnet.net News:- On Sunday p2pnet posted an item from Gulli in Germany describing new phishing activities on MySpace.
Here’s a follow-up from Randolf Jorberg:
When writing about the stalkertrack myspace tracker scam I didn’t speak about the service in itself, as users are promised access to it, but will never ever receive it from stalkertrack.com. But the whole issue of profile trackers at Myspace is indeed interesting and worth an extra post. At the Washington Post Security Fix Brian Krebs covered that a few months ago, but only gave a vague idea about the technical details and possibilities on myspace.
There are two different kind of myspace tracking services out there. Those who go with the Myspace TOS and those who don’t. The legitimate services (like profilesnitch.com) can only show the data that every homepage owner can gather from his visitors: the visitors location (via ip), time, operating system, etc. The latter ones can show you the profile nickname, picture and even the registered email address of every myspace user visiting your profile on top! This surely is a serious privacy leakage that myspace needs to fix permanently. The illegitimate services are only stopped from working, as Myspace manually deactivates them, as their hide-and-seek continues. Using custom hosted scripts (available via ebay (1, 2) and other scripts that are not publicly sold like “Project Tenyer” the script used by stalkertrack.com, you can circumvent this limitation and host the scripts yourself.
These javascripts read the email address and all Myspace IDs the user was ever logged in on the same PC and grabs the profile picture, name, and URL from home.myspace.com/index.cfm?fuseaction=user (which is where the myspace user’s main panel is) where they can edit their profile, etc. The information contained in the cookie alone is sufficient that the tracker user can get the full user privileges for for the length of the active session (that lasts 6 hours). He is only stopped from changing email address or password by myspace security routines.
As long as all authentication cookies and user-maintenanced pages are hosted on the same domain it is very hard if not impossible to fight trackers and other cross-site-scripting attacks on myspace. There’s a good reason why intelligent companies like Google keep its users homepages out of reach of the google.com domain, but gives them googlepages.com URLs and social networks like flickr disallow any kind of active user-content to be included into user pages. It is now Myspace’s task to restructure it’s architecture to a safe environment for all surfers. This plus the fact that Myspace saves a unneccessary high amount of data in its cookies make such trackers so easy to realize.
Stay tuned.
Also See:
phishing activities – Gone phishing —- at MySpace, January 28, 2007
Randolf Jorberg – MySpace sexual offenders dbase, January 31, 2007
Want to subscribe to p2pnet by email with Feedburner? Just click here.
rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php | | And use our own p2pnet newsfeeds for your site
If your Net access is blocked by government restrictions, try Psiphon from the Citizen Lab at the University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.
