MySpace: A Place for Dolts (Internet)
By dbickett
Sun Jul 17th, 2005 at 07:37:25 PM EST

You are probably all aware of the ever popular website MySpace.com, where teenagers, adults, and everyone inbetween goes to engage in incredible ego trips and incessant forays of commenting and message sending. If you've ever visited this angst-ridden, teenie-bopper haven, you'd be surprised to find that it can actually be mildly entertaining, given the right crowd. For the same reason, you wouldn't be at all surprised to find that its concept of security is an incredibly perforated one, given its very rugged and rudimentary feel, and its questionable URL schematics.

As you probably inferred, I am guilty of participating in this never ending bandwidth party online. It's popular for the same reason AIM became popular: it's trendy, computer-illiterate people can manage to make it "go", and consequently 'everyone else is using it'. The resulting chances of you being able to recreate your tangible social network in this ad-infested chaos are high, and soon you become fond of the feeling when you get a message saying someone has commented on your profile. You know that you'll think of an appropriate comment to put on their profile in a few days too, and it will continue this way until you break the internet. Or, as the case may be, you break MySpace (probably more likely as this article suggests, but we're getting ahead of ourselves).

Before I give you factual and logical evidence of the technical blunders this web app has made, I'll build some foundation, starting with the void that "Tom" (the MySpace handle of the creator) received at birth in place of his stylistic intuition. The most noteworthy thing is this: the ads. They're everywhere, absolutely EVERYWHERE. There's one at the top of every page, one on the right when you're checking your messages, and eight others placed strategically beside every other feature, on every other page. If I didn't run Firefox, the problem would probably be exacerbated by the absurd amount of popup windows that would be appearing on my screen. This alone makes the entire experience ridiculous, but it goes on.

There are artifacts of past features where they used to be, saying "This feature no longer exists here. Go here instead." I think there are three or four of these just on the post-login page alone, and though it would be justifiable for the first week after the disappearance, they DON'T GO AWAY. I'm sure I could think of more with very little effort, but I'm going to leave it at this third and final damning trace of stupidity: the Extended Network feature.

You see, when you sign up for MySpace, you instantly have your first friend. You're immediately best buddies with the most popular person on MySpace: Tom. Now, to understand the stupidity of this, you have to understand that this is a social networking mechanism; if I'm friends with John and John is friends with Sally, then Sally is syllogistically my friend, and if I visit her profile it will tell me just that: "Sally is in your extended network". But if EVERYONE is friends with Tom, then there might as well not be an extended network feature at all, and he is defeating the purpose of his time and his website. Basically what I'm saying is, Tom is a dumbshit.

But there's a reason why none of this matters. There's a reason why he wins even though he programs in Cold Fusion (I have yet to meet someone who uses Cold Fusion and isn't a complete moron), even though he has no sense of style or ergonomics, and even though he's lazy as hell: he gets an enormous amount of money from the website. Movies, bands, dating services, clothing companies, non-profit organizations, and even the US Army advertises on MySpace. And if you recall an earlier paragraph, they don't wait in line, because he fits every god damn one of them on the same page. Every page. So you see, there's a reason why I've never been too frustrated with all of the above, because I knew that I could call him out on as many fouls as he made, but as long he makes (tons of) money and I don't, he wins. Until now.

Finally, we get to the crashing end of this dissertation, beginning with me trudging through everything I've elaborated on so far: I was using MySpace. Now of course, like any good businessman, he's going to do everything in his power to make you join his website. As such, unless you are logged in you can only see the bare surface: you can see someone's profile, but you can't see all of his or her friends, comments, blog posts, and, worst of all, you can't see all of their pictures. Tragic, right? So we join, and we are sucked into this black hole. The point I'm making is, you're not going to be able to exploit this flaw unless you have an account, so let's all run over there, now, and sign up. (I know I'm getting alot of "Yeah, right" looks now).

Here I am, however, browsing someones extended page of friends, and I notice something curious in the url that doesn't appear anywhere else: userName. Now, anyone that's written some kind of LAMP web app (admittedly, this is not a LAMP app, but the same principles apply) that was at all user-oriented will know that the key to the database table is, in MySQL terms, the Primary Key. It's the id of the row that tells you absolutely everything about a user, and usually when you're viewing something related to that user (like the user's profile, for instance) you simply put the user's id in the url of a link. From this, you can display all of the user's information using one database query, right? Exactly. But it looks like Tom got a little too lazy.

Tom had no problem querying for the user's name on the profile page, but when you're viewing their extended friends it seems like Tom took a shortcut. In order to display the user's name on the View Friends page, he uses a variable in the URL called userName that, as it suggests, informs the script of the user's name. The page uses this name to write the link "Back to <userName>'s profile" and the header "<userName>'s Friends", and I couldn't help but laugh smugly. I didn't even consider that this wasn't just an innocent (and extremely novice) programming mistake, and any number of practical jokes could be played by sending people links to their friend's pages with the name changed to something defamatory or jocular. But then I wondered, just how direct was the passage of this variable in the URL to the screen in front of me? I decided to find out.

I started putting little html snippets in this userName variable in the url. I used "</table>" first, and since userName appeared in several nested tables, the visual became very warped. This confirmed that Tom wasn't checking the validity or content of the userName variable at all; he made the tell-tale mistake of trusting the input from the client, and now he was paying for it. Next I tried inserting javascript, knowing that he filtered it out in all of the other pages, and sure enough something simple like <script>document.write(document.cookies);</script> revealed a whole slew of information in the place of this user's name.

What was at first a simple practical joke or internet "magic trick" that could be used to impress or confuse your friends was now a massive security breach that could, with a little effort and know-how, enable snooping into, or even compromising of, people's accounts. Links could be propogated that contained remotely linked javascript files (commonly known as "cross-site scripting", or XSS), and as soon as people clicked the link their cookie could be snatched surreptitiously. I've taken a look at these cookies, and unfortunately Tom wasn't silly enough to put the password on the client's machine, however he does put a ridiculous amount of information there. Two of them are base64 encoded: one ends up as plain text containing all of your profile information, while the other is a bunch of garbled nonsense that is evidently masked even further, however I don't recognize the format.

To sum this up, I'll tell you that the latter part of this article (the part where I address the security issue) is nothing new. A quick google search for any combination of "Myspace", "cookies", or "XSS" reveals that there are numerous instances exactly like this one where XSS was possible on MySpace, but they were either on forums with "binary" in the name and Matrix-mock-up backgrounds, or elitist security websites that do this kind of thing on a regular basis. However, as far as I can tell this one hasn't been reported.

The whole situation simply highlights the double-edged sword that is the internet: it's an incredible source of exposure and accessibility, but any old moron can make a buck or two if he has the time and the motivation. And, to Tom's credit, he has made a buck or two.

Original Article Link