digg

Facebook Connect Join Digg About

How the myspace SWF hack worked

kinematictheory.phpnet.us As the title says, this is how the myspace SWF hack/hijack worked. There's no ads, and this isn't a blog - just a page I quickly made explaining what I found about the hack, also note that I didn't create the hack. I just found it interesting :) This is hosted on a random free host, which may die at any point - offers of hosting are welcome!

Who dugg this? Made popular Jul 17, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

144 Comments

show profanity settings
expand all
  • poobread, on 10/12/2007, -10/+109As long as something bad happened to Myspace, I don't care how it happened.
  • jiminoc, on 10/12/2007, -4/+73they should not allow people to horribly edit their pages. Everyone on myspace thinks they're a web designer when in fact the colors red and blue do not go well together with animated gifs, streaming music and videoclips all on the same page. you bastards! stop!
  • i440, on 10/12/2007, -1/+53Security breaches on MySpace are to be expected; the coding is nothing more then a complete mess!
  • bbene, on 10/12/2007, -2/+44Don't forget lots of random modifications to layout, 5 personality profiles and a seven mile long page.
  • dustyshadow, on 10/12/2007, -1/+27I try to make my page as annoying as possible just to be funny. sorry I pissed you off
  • bbene, on 10/12/2007, -1/+26Embeded flash objects aren't AJAX.
  • oGMo, on 10/12/2007, -2/+26"It could be very professionally done."

    That doesn't guarantee it's not a mess. In fact, most "professional" code is more of a mess than the hobby/free/open source/etc stuff.
  • MikeSD34, on 10/12/2007, -0/+21"How do you know its a complete mess? It could be very professionally done."

    View -> Source.

    Anyone with any knowledge of HTML will tell you it's horrid, and if the HTML is so bad, one can only imagine what the back-end stuff is like. Ever wonder why it's so slow and throws up errors to the user so often?
  • khag7, on 10/12/2007, -3/+22pretty much everyone on myspace uses IE b/c pretty much everyone on myspace doesnt know any better.
  • MrShoop, on 10/12/2007, -3/+22Hey, in your blog you say MySpace shoudl have blocked the JavaScript but it is being called from the flash, straight into the url. How can that be blocked other than blockign all flash?
  • BitwiseMcgee, on 10/12/2007, -0/+19It does use the xmlHttpRequest object, which is the major part of ajax, plus they are asynchronous, plus it uses javascript. The only part missing is the X (xml) since it uses responseText, its actually ajah...
  • Hydroxyl, on 10/12/2007, -2/+19Blocking external SWF files.

    Probably allowing YouTube and some other sites.
  • nathanmock, on 10/12/2007, -1/+18Mirrored because of the author's concerns:
    http://www.aberrant.us/mirror/msswfhack/
  • foofightrs777, on 10/12/2007, -3/+20and 93974979202 animated gifs ("icons" as myspace folks are so fond of calling them) do not make you cool. Especially when it's on a busy/animated dark backround.
  • dshPls, on 10/12/2007, -0/+16They will never block all flash as alot of people post youtube videos, and their music player is flash....You can't enforce laws with flash either like you can with html, so who knows what the fix will be...
  • Haroldx, on 10/12/2007, -2/+15if you don't want to read, it's just a matter of redirecting to an edit page, and redirecting again with post information again to your blog.
  • kendawg, on 10/12/2007, -3/+15I am sure MOST of the clueless teenagers using myspace don't know what firefox is.
  • DephexTwin, on 10/12/2007, -0/+12Arguing about what precisely should qualify as Web 2.0 is like arguing about what qualifies as "Must See TV". It's all marketing and buzzwords, trying to create some cohesive singular movement out of a collection of technologies, ideas, and business models. Caring about "Web 2.0" is like caring if your Classic Caesar dressing is really "zesty" or not, like the label says.
  • halibut, on 10/12/2007, -0/+11http://x.myspace.com/js/myspace.js
    line 191 (it's a comment):
    "//*****"

    Yes but what does it mean?

  • sadisticfruit, on 10/12/2007, -0/+11Don't forget, some of the pages are also seven miles wide.
  • robdavy, on 10/12/2007, -1/+11@ scott1

    "None of the staff on MySpace know to program what they did was the copy pasted other sites codes to build the site."

    ... and sold it for $580m - still sounds good to me
  • dave98, on 10/12/2007, -0/+10Firefox Noscript extension.. whitelisting system that blocks javascript flash other plugins from untrusted domains
    https://addons.mozilla.org/firefox/722/

  • jasonhazel, on 10/12/2007, -4/+14@i440

    MySpace IS a web 2.0 site. web 2.0 is not ajax, it is not simple designs with gradients... it is community. myspace is a site powered by the people who use it. just because there is no xmlhttprequest does not mean it is not web 2.0.
  • HappyScrappy, on 10/12/2007, -0/+10And people think I'm paranoid for not using flash.

    Having flash on means you're potentially accepting and running code from every site you visit. That's incompatible with security.
  • dharm, on 10/12/2007, -0/+10i mentioned this a month ago, in a front page article that was about goverment to start collecting personal data from myspace.

    what i said was that 1x1 pixel flash animations embedded in my space account profiles are being used to redirect cookies and also the user, using actionscripting. if you know where to look on the net. you can find 1000s of usernames/passwords/emailaddresses that are being collected from myspace for various reasons.

    i got dugg down, i guess people didnt care. Maybe i should have wrote an article (but i thought it was well known that this was happening)

    just google cookie stealing, and you will find out about cookie redirection and stealing. There are also several video tutorials.
  • zoombusa, on 10/12/2007, -6/+14about time someone does something about those horribly designed pages.
  • zoombusa, on 10/12/2007, -2/+10Actionscript can be pretty fun. It's been a few since I have used it but I remember (with my ***** programming skills) would kill my PC when I created loops. The thing that is nice with Flash is that you can integrate php, cgi, java etc etc. On a side note, I like flash but not the way Myspace uses it. I guess who ever did that exploit did it because loading someone's myspace page will beat down your computer. LOL Payback?
  • VioletArrows, on 10/12/2007, -1/+9Time until klownkiller is banned... 10...9...8...7...
  • Voodooengine, on 10/12/2007, -0/+7"I'm no ajax guru, but wouldn't that only work on IE? They would have to include support for the xmlhttp object instead of just the MSXML version."
    Just thought it was interesting.

    How many people use IE to view myspace?
    Im seriously wondering.
  • tr0gd0rr, on 10/12/2007, -1/+8Making AJAXwork with other browsers is extremely easy and I find it odd that the hacker wouldn't go two lines further. Consider:

    // WORKS WITH ALMOST ALL BROWSERS:
    try { var x = new XMLHttpRequest(); }
    catch (e) {
    try { var x= new ActiveXObject("Msxml2.XMLHTTP"); }

    // YET THE HACKER USED:
    var x = new ActiveXObject('Msxml2.XMLHTTP');
  • joshfraz, on 10/12/2007, -0/+7He was saying that they should block javascript insertions. Hopefully most webmasters are smart enough to strip "javascript" from posted messages, but not everyone thinks to also check for new lines, tabs, etc. In this case, although "javascript" was blocked, "javanrscript" was not. Many times you can use "javajavascriptscript" since some scripts only strip out "javascipt" once, leaving the code that you want free to execute.

  • gamerage, on 10/12/2007, -0/+7I see what it does but I don't see the utility in it. I'd love an example of the bad part. Feeling really dense here people. Help me out.
  • 42sd, on 10/12/2007, -0/+7I'm no ajax guru, but wouldn't that only work on IE? They would have to include support for the xmlhttp object instead of just the MSXML version.

    Just thought it was interesting.
  • i440, on 10/12/2007, -0/+6"Anyone with any knowledge of HTML will tell you it's horrid, and if the HTML is so bad, one can only imagine what the back-end stuff is like. Ever wonder why it's so slow and throws up errors to the user so often?"

    ...And why it sometimes doesn't render correctly in Firefox? Obviously, this was designed with only one goal: to display the page properly in IE.
  • scriptdaemon, on 10/12/2007, -1/+7What exactly does/did this "hack" do?
  • Setari, on 10/12/2007, -2/+8I bet a good number of myspace users do use Firefox, but only because someone told them it made them cooler or something. I highly doubt that they use it for a good reason or even know that much about the browser.
  • mb309, on 12/31/2008, -0/+6that said, I would love to see you design a framework that could support hundreds of millions of people.
  • i440, on 10/12/2007, -8/+14Myspace is not a Web 2.0 site. I think that is a very common misconception.
  • kinematic, on 10/12/2007, -0/+6Very good point.
    Truthful answer: I don't know. However luckily I don't have to figure it out :P

    Anyone else got any ideas?
  • tekrat, on 10/12/2007, -1/+7Since the author was worried that his/her article may go away I mirrored it here:

    http://www.zohowriter.com/public/d6DQ9MB06e7OeL6n8/MySpave-SWF
  • i440, on 10/12/2007, -1/+6"MySpace IS a web 2.0 site. web 2.0 is not ajax, it is not simple designs with gradients... it is community. myspace is a site powered by the people who use it. just because there is no xmlhttprequest does not mean it is not web 2.0."

    In that case, I take it back. I suppose, then, that I am the one with the misconceptions. ): Anyway, what /are/ webpages with simple designs/gradiants/rounded corners/AJAX, then?
  • scott1, on 10/12/2007, -0/+5Firefox is too good.

    But fountratly a majority of MySpace users use IE.
  • Palmer586, on 10/12/2007, -0/+4From that code, seems like it just tag's your 'About me' section on your profile, and anyone who looks at your profile then also gets the same treatment.
    All those myspace users should be glad the creator didn't get it to change their password and just edit their 'About me' section.
  • inactive, on 10/12/2007, -3/+7nelson "ha ha"
  • jasonhazel, on 10/12/2007, -0/+4they're sites with ajax, simple designs and gradients :)

    you're not the only one with the misconception... i've heard /. redesign called web 2.0 and even ajax.
  • Darth_tater, on 10/12/2007, -0/+3now that he explains it, it seems so simple. great job on the explanation...helped me understand it (and i don't know jack ***** about web development.)
  • tr0gd0rr, on 10/12/2007, -0/+3So why wouldn't the attacker add a few lines of code to make the AJAX work with the other 25% of browsers? Is this hacking targeting IE?
  • Ilyanep, on 10/12/2007, -0/+3"Don't forget, some of the pages are also seven miles wide."

    Those piss me off
  • Plutonium, on 10/12/2007, -0/+3when i tested this. if you using firefox it didn't work. the swf didn't redirect. :/
  • mikesherov, on 10/12/2007, -0/+3 slash n slash r != nr

    slash n slash r == line feed then carriage return.
  • Fetching more discussions...
    Show 51 - 100 of 145 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.