Monday, November 5, 2007

MySpace accont pwnage!

As the title indicates and as I have wanted to write about for some time now, ever since I noticed that the MySpace login page is not protected by any type of encryption, this posting is about sniffing MySpace passwords off of your network...

To test this theory, and have a little fun, I used snort to sniff some packets off of a ToR (The Onion Router) system that I built specifically for this purpose. The results below are fairly self-evident, though the names, dates, and locations have been changed to protect the guilty ^_^. As we can see from the below highlighted output, the username is j00r_myspace_pwned@hotmail.com and their password is password12345. I am both surprised and not surprised to see this on the internet today.

POST /index.cfm?fuseaction=login.process HTTP/1.1
Host: secure.myspace.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.myspace.com/
Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ%3D%3D; SessionDDF1=933aa40e14c3e8ee00fd99a3ab029eea43bb704eb259248a

Content-Type: application/x-www-form-urlencoded
Content-Length: 586

__VIEWSTATE=%2FwEPDwUKMTI3ODg2ODMzM2QYAQUeX19Db250cm9sc1JlcXV
pcmVQb3N0QmFja0tleV9fFgIFMGN0bDAwJE1haW4kU3BsYXNoRGlzcGxheSRjdGw
wMCRSZW1lbWJlcl9DaGVja2JveAUwY3RsMDAkTWFpbiRTcGxhc2hEaXNwbGF5JG
N0bDAwJExvZ2luX0ltYWdlQnV0dG9u&NextPage=&ctl00%24Main%24Splash
Display%24ctl00%24
Email_Textbox=j00r_myspace_pwned%40hotmail.com
&ctl00%24Main%24SplashDisplay%24ctl00%24
Password_Textbox=password12345&ctl00%24Main%24SplashDisplay
%24ctl00%24Login_ImageButton.x=26&ctl00%24Main%24SplashDisplay%24ctl00%24Login_ImageButton.y=14&ctl00%24
Main%24SplashDisplay%24ctl00%24nexturl=&ctl00%24Main%24SplashDisplay%24ctl00%24apikey=

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 214
Content-Type: text/html; charset=utf-8
Location: http://login.myspace.com/index.cfm?fuseaction=ad&MyToken=2d99f690-abae-4839-97dd-64b48d1edd52
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MYUSERINFO=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=MIICtQYKKwYBBAGCN1gDlqCCAqUwggKhBgorBgEEAYI3WAMBoIICkTCCAo0CAwIAAQICZgMCAgDABAjl8wldaxuF7AQQzm1U8TfL0hIgLZm%2f%2baYNBwSCAmDFTCkutM5yyyvSN8vTANn5kgTYOPD3DWWxRcRQEx2ehj0nYpz3kqS0jJaAnb1PD7auiaNq8XMaipcAFbJbzntSKmLEwK7H%2brQknmAbEpo4YP3ofM9GcZb5ZYWzN2hj%2bclZDsJ4M%2fEPlqDElkLW7cWbUGcP2KMMcd%2bxJDxL3tcHHNaZymfryqMHpEibZtUEs%2bvHjbbQ8pcVNm%2bFyfO8yfnIJ20BCwebS7ZiseN0D0I8yWuZRwULf
7HTAYB8jdhQyx49ULlkCUT4DL0iORqNL8Q3CvSdRwS7zT7cyBNC%2fg6%2b0Hy1D4NGHQcSzIXJ2tGg2%2bz5kCDPrARZVK5qgsSbI90ouN5LKu4kPLDd7w9%2fHtsFo%2ft%2bP4h4k%2fMq57s%2fuPPkM4J4h7ewHwEIVzv4lnk39l7QTthhroMwi9Qn196c%2fDNByifjkOAocz09n%2fB4t%2bzycg7B8VyIlY1P%2f29syvz%2ft5NbkbyYbAu6Sfz0%2biNM%2fjuqEFHAY1dGU6W%2btR8GD%2bGvsWttdb8kPXKL4x6HpIr1QyGIwk0SZEDr2oMzZjcQegezv3loAV9JivU8HmYaaibwLMJUVIPv6uvvr1slqJ%2f7dmG6hjFeEDjb4uEvrYfZrV0R75JQPd3W6MXjciL%2bRW3YDuK
XGghi9I70PnpFuWeEkzE11U2IkyX3jb6GP4uOAl4KEZtQoF8LSsezdXPjlBP%2f1Q0upnPXJTzy0RNTfZZ0bdOuqnC13%2fNXIL96aZKgo0KVILrKN7E2uJYGkavoYyeK7Efolb%2f%2fgLSrX%2bUoicGc2oLceCWhrVxXdZAVt%2b0c7YNUTQ%3d%3d; domain=.myspace.com; path=/; HttpOnly
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: LASTUSERCLICK=%7bts+'2007-11-05+04%3a00%3a36'%7d; domain=.myspace.com; path=/
Set-Cookie: GADC=EUD=0:0:YTVkMTA4OTQ5ZDg5ZWI0OekNaTFtgDI_S7P6H2jrQzkk4nPuDPBbmATsWT8Cbo-Vd3Hgs227A2MQcf3dzClR3nwSH5PPEg8uiygF6KzHRgPJYhvfCX0YsIcKZKOEwjO3; domain=.myspace.com; expires=Fri, 05-Nov-2027 11:00:36 GMT; path=/
Set-Cookie: SplashDisplayName=j00r_myspace_pwned; domain=.myspace.com; path=/
Set-Cookie: D
ERDB=ZG9tYWluPS5teXNwYWNlLmNvbSZ0bGQ9Y29tJnNtb2tlcj0yJnNleHByZWY9MSZ1dHlwZT0yJnJlbGlnaW9uaWQ9MCZyZWdpb249MjAmcG9zdGFsY29kZT0wNDU3MiZtYXJpdGFsc3RhdHVzPU0maW5jb21laWQ9MCZoZWlnaHQ9MTcxJmdlbmRlcj1NJmZyaWVuZHM9MSZldGhuaWNpZD04JmFnZT0zMCZib2R5dHlwZWlkPTYmY2hpbGRyZW5pZD00JmNvdW50cnk9VVMmZGF0aW5nPTAmZHJpbmtlcj0xJmVkdWNhdGlvbmlkPTEmcmVsYXRpb25zaGlwcz0wJm5ldHdvcmtpbmc9MCZkaXNwbGF5bmFtZT1KZXJlbXkmZnJpZW5kaWRfaW50PTE0MzE0MDkxNyZpcGFkZHJlc3M9JzY
5LjM5LjExMC4yNycmc2NobD0wJnNjaGw9MCZzY2hsPTAmZ3JwPTAmZ3JwPTAmZ3JwPTAmY3VsdHVzZXJwcmVmPTEwMzM=; domain=.myspace.com; path=/
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: Login=; domain=.myspace.com; path=/
X-Server: ce28ca171d6578a0dad1823b61ec8978cabea8d4955341dd
Date: Mon, 05 Nov 2007 12:00:36 GMT


I am surprised because I know that MySpace receives a large amount of traffic and has quite the large user base, I would therefore think that they would provide SSL/TLS transport as a minimum to protect the authentication information of their user base. But I am also not surprised by the fact that this is yet another blaring sign pointing to the fact that many organizations, engineers and so on do not take security seriously, nor do they develop with security as even so much as an afterthought.

I also find it quite humorous that they actually have "Safety Tips" on their site. Probably the most humerus of which is their sixth tip on that page: "Don’t get hooked by a phishing scam. Phishing is a method used by fraudsters to try to get your personal information, such as your username and password, by pretending to be a site you trust. Click here to learn more." I suppose that they are right though...I mean, why submit your information to a phishing site/scam when they can just sniff your traffic and own your account!

Of course gaining access to the users account is only the beginning, this opens up the door to a whole realm of possibilities, given the fact that *most* users will use the exact same password for all of their accounts. Or they will at least use a basic derrivation of that password, an example would be adding a different number to the end in each instance i.e. password1, password2, password3. Compromising the email account associated with the MySpace account also makes it extremely easy to gain additional information about an individual and ultimately be able to steal various types of sensitive information or even to further breach their resources (corporate accounts and the like).

With the use of ToR and various anonymizers growing every day, and the level of expertise / knowledge of the basic ToR user not being that of a security minded individual, it is surprisingly easy to grab a number of MySpace user accounts in short-order. During my testing period (roughly two weeks) of running a ToR server and sniffing for the magic MySpace packet, I was able to build a database of over 20 accounts and their associated passwords. Conceivably I could create a network of ToR servers and be able to easily own accounts at a fairly rapid rate.

All of this said, I strongly urge MySpace to purchase an SSL cert or two and use them, if nothing more than for the login process "This is what google does with gmail, a user browses to http://gmail.google.com and to logon is redirected to the https:// site, after authentication they are directed back to the http:// site".

For fun, I have included below a snort rule that should catch the magic MySpace packet ;-), this is from bleedingthreats.net.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:"login.myspace.com"; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;)
I would like to thank Jeff for sending me some of his pcap data for analysis!

Cheers,
JJC

2 comments:

Anonymous said...

I whole-heartedly agree, this is disturbing given the amount of myspace viewing at almost any coffee-shop frequented by the younger (and sometimes older) crowd.

JJC said...

Excellent thought, I did not say anything about that aspect, but it is certainly a great target location for grabbing account info off of unencrypted public connections. I am surprised in the corporate world to still find a large number of unencrypted webmail servers and the like. I will be writing more on this in a followup posting after a bit more *independent* research.