Monday, November 5, 2007

MySpace accont pwnage!

As the title indicates and as I have wanted to write about for some time now, ever since I noticed that the MySpace login page is not protected by any type of encryption, this posting is about sniffing MySpace passwords off of your network...

To test this theory, and have a little fun, I used snort to sniff some packets off of a ToR (The Onion Router) system that I built specifically for this purpose. The results below are fairly self-evident, though the names, dates, and locations have been changed to protect the guilty ^_^. As we can see from the below highlighted output, the username is and their password is password12345. I am both surprised and not surprised to see this on the internet today.

POST /index.cfm?fuseaction=login.process HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071008 Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: MSCulture=IP=; SessionDDF1=933aa40e14c3e8ee00fd99a3ab029eea43bb704eb259248a

Content-Type: application/x-www-form-urlencoded
Content-Length: 586


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 214
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MYUSERINFO=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=MIICtQYKKwYBBAGCN1gDlqCCAqUwggKhBgorBgEEAYI3WAMBoIICkTCCAo0CAwIAAQICZgMCAgDABAjl8wldaxuF7AQQzm1U8TfL0hIgLZm%2f%2baYNBwSCAmDFTCkutM5yyyvSN8vTANn5kgTYOPD3DWWxRcRQEx2ehj0nYpz3kqS0jJaAnb1PD7auiaNq8XMaipcAFbJbzntSKmLEwK7H%2brQknmAbEpo4YP3ofM9GcZb5ZYWzN2hj%2bclZDsJ4M%2fEPlqDElkLW7cWbUGcP2KMMcd%2bxJDxL3tcHHNaZymfryqMHpEibZtUEs%2bvHjbbQ8pcVNm%2bFyfO8yfnIJ20BCwebS7ZiseN0D0I8yWuZRwULf
XGghi9I70PnpFuWeEkzE11U2IkyX3jb6GP4uOAl4KEZtQoF8LSsezdXPjlBP%2f1Q0upnPXJTzy0RNTfZZ0bdOuqnC13%2fNXIL96aZKgo0KVILrKN7E2uJYGkavoYyeK7Efolb%2f%2fgLSrX%2bUoicGc2oLceCWhrVxXdZAVt%2b0c7YNUTQ%3d%3d;; path=/; HttpOnly
Set-Cookie: MSCulture=IP=;; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: LASTUSERCLICK=%7bts+'2007-11-05+04%3a00%3a36'%7d;; path=/
Set-Cookie: GADC=EUD=0:0:YTVkMTA4OTQ5ZDg5ZWI0OekNaTFtgDI_S7P6H2jrQzkk4nPuDPBbmATsWT8Cbo-Vd3Hgs227A2MQcf3dzClR3nwSH5PPEg8uiygF6KzHRgPJYhvfCX0YsIcKZKOEwjO3;; expires=Fri, 05-Nov-2027 11:00:36 GMT; path=/
Set-Cookie: SplashDisplayName=j00r_myspace_pwned;; path=/
Set-Cookie: D
5LjM5LjExMC4yNycmc2NobD0wJnNjaGw9MCZzY2hsPTAmZ3JwPTAmZ3JwPTAmZ3JwPTAmY3VsdHVzZXJwcmVmPTEwMzM=;; path=/
Set-Cookie: MSCulture=IP=;; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: Login=;; path=/
X-Server: ce28ca171d6578a0dad1823b61ec8978cabea8d4955341dd
Date: Mon, 05 Nov 2007 12:00:36 GMT

I am surprised because I know that MySpace receives a large amount of traffic and has quite the large user base, I would therefore think that they would provide SSL/TLS transport as a minimum to protect the authentication information of their user base. But I am also not surprised by the fact that this is yet another blaring sign pointing to the fact that many organizations, engineers and so on do not take security seriously, nor do they develop with security as even so much as an afterthought.

I also find it quite humorous that they actually have "Safety Tips" on their site. Probably the most humerus of which is their sixth tip on that page: "Don’t get hooked by a phishing scam. Phishing is a method used by fraudsters to try to get your personal information, such as your username and password, by pretending to be a site you trust. Click here to learn more." I suppose that they are right though...I mean, why submit your information to a phishing site/scam when they can just sniff your traffic and own your account!

Of course gaining access to the users account is only the beginning, this opens up the door to a whole realm of possibilities, given the fact that *most* users will use the exact same password for all of their accounts. Or they will at least use a basic derrivation of that password, an example would be adding a different number to the end in each instance i.e. password1, password2, password3. Compromising the email account associated with the MySpace account also makes it extremely easy to gain additional information about an individual and ultimately be able to steal various types of sensitive information or even to further breach their resources (corporate accounts and the like).

With the use of ToR and various anonymizers growing every day, and the level of expertise / knowledge of the basic ToR user not being that of a security minded individual, it is surprisingly easy to grab a number of MySpace user accounts in short-order. During my testing period (roughly two weeks) of running a ToR server and sniffing for the magic MySpace packet, I was able to build a database of over 20 accounts and their associated passwords. Conceivably I could create a network of ToR servers and be able to easily own accounts at a fairly rapid rate.

All of this said, I strongly urge MySpace to purchase an SSL cert or two and use them, if nothing more than for the login process "This is what google does with gmail, a user browses to and to logon is redirected to the https:// site, after authentication they are directed back to the http:// site".

For fun, I have included below a snort rule that should catch the magic MySpace packet ;-), this is from
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:""; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;)
I would like to thank Jeff for sending me some of his pcap data for analysis!



Lee said...

I whole-heartedly agree, this is disturbing given the amount of myspace viewing at almost any coffee-shop frequented by the younger (and sometimes older) crowd.

JJC said...

Excellent thought, I did not say anything about that aspect, but it is certainly a great target location for grabbing account info off of unencrypted public connections. I am surprised in the corporate world to still find a large number of unencrypted webmail servers and the like. I will be writing more on this in a followup posting after a bit more *independent* research.