Month Of MySpace Bugs is a Go

Well, it seems that the Month Of Myspace Bugs is going ahead, and with a European mirror configured as well, just in case of a U.S based shutdown. Great thinking guys! Here's the link to the site. http://momby.livejournal.com/ And the first advisory: Advisory MOMBY-00000001: MySpace Official URL Spoofing Press Embargo until April 1, 2007 Rankings: Noobs: ***** LOLs: ** 0wnz: * Myspace allows registered users to create arbitrary pathnames under the http://www.myspace.com/ domain. This can be used in the furtherance of a confidence scheme. Example: http://www.myspace.com/PasswordReset Details: Upon creating a new account, users are presented with an option to pick a MySpace Name/URL, as shown on this screenshot (click). Combined with the allowed CSS editing that allows users to essentially create custom layouts which may appear exactly as the targeted (or invented) MySpace service (such as a password resetting web application), and the "remember my password" functionality of some browsers which respect only domain names + form input names, this technique can help create a very convincing illusion of MySpace officialdom. As an example, the personal profile for "Mondo Armando" is now registered as the above example URL, which can now be used to trick victims into setting a password to a value known by, well, me. The downside (from the attacker's perspective) is that there are technically finite variations. However, a url such as "http://www.myspace.com/PasswordActivate" and "PASSW0RDRESET" may work just as well, so it'll be a while before all the "good" target URLs are taken. Credit: Originally noticed by mybeNi websecurity at http://mybeni.rootzilla.de/mybeNi