MyYearbook.com’s woes continue. Unsticky emailed me the original source code to the MyYearbook.com worm. It’s funny how this reminds me of actual virus fighting, where understanding the original variant can help explain how future variants evolved. Here are the variants:
Original variant by unsticky:
Additionally Triphase from Hacking With Style got ahold of me. This is a direct copy and paste from his email to me. (Btw, ha.ckers.org does not condone this sort of activity, but the 1000 or so users who will be affected by this have a right to know):
I saw your blogpost on ha.ckers.org
Indeed we have a list of usernames and passwords… about 900+ not counting the ones coming in every second…
As a proof ill past a short list of them:
Anyways, the admin has about 20 hours left to fix the bug, or the list WILL get public.
It is clear that Triphase will use the lists that they have found against MyYearbook.com. This is an interesting take on full-disclosure, where the vulnerable website or application is told the duration of time they have until they have to disclose the information that has been stolen. Of course, this is not a new way to disclose information and it has been tried in the past, although I don’t recall it ever having been done in quite the same way. If MyYearbook.com does business in California this may fall under SB 1386 which mandates full disclosure by the owners to it’s users. Pretty nasty stuff and a pretty tough message - fix it or pay.