Paid Advertising
web application security lab

MySpace 0day Again^5

Hat tip to WhiteAcid for the new naming convention for the post (it’s easier to name it in terms of powers, rather than to type it out by hand). But yes, yet again, MySpace is vulnerable, and yes, again, to the exact same thing as before. This cat and mouse game makes them look pretty foolish. Instead of just doing it right they are writing single blacklist/whitelist strings that are trivial to circumvent. digi7al64 found yet another way around the same XSS filters that are attempting to stop the non-alpha non-digit XSS vector that effects FireFox. Here is the string:

<body <script onload<script=alert('xss');> turns into <body .. onload..=alert('xss');> which works in Firefox.

What did MySpace do against the last filter? They simply stopped stripping in the single case where they found the offending string. No, they didn’t get rid of it, block it, enumerate through a while loop or anything else, they just did nothing, causing the string to fail (not a particularly great defense there). This is silly, and embarrassing to watch. I feel bad for them, I really do. The only thing I can think that would cause them to not write a while loop is over concerns of CPU, but adding more and more filters doesn’t help CPU either, and there are other ways to solve CPU bound search issues (I know because I’ve designed them before).

It’s kind of comical at this point - anyone want to take bets on how many more tries it will take for them to get it right? This is the trap you get into when you have to allow HTML for your business to survive.

11 Responses to “MySpace 0day Again^5”

  1. yawnmoth Says:

    Just imagine what life would be like if WordPress was doing similar things. An exploit is published, so you blacklist it and release a new version. People download and install that version, but then a new exploit is published, so you have to release another new version. The only problem is that those people who installed the old version are liable not to upgrade to the newest one.

    As such, I think MySpace should take solace from the fact that they *are* in a position where they can do this. For software packages like WordPress, you have to get it right the first time. For packages like MySpace, it’d be nice if you got it right, the first time, but it’s not nearly as important.

    And who knows… maybe this is just someone’s way of ensuring job security. I mean, it can, often times, I think, be easier to keep your job when you have a steady stream of stuff to do, even though, if you were doing a good job, you wouldn’t.

  2. MySpace 0day Again^5 of Myspace Html Codes Blog Says:

    […] Original post by RSnake for Myspace News MySpace 0day Again^5 […]

  3. Disenchant / Sven Vetsch Says:

    One simple question:
    Why they don’t use something like BBcode and a regex for everything inside of such a BBcode tag?


    Here it’s so easy to just convert into <something> then they shouldn’t have any problems with this anymore (in the way they had before) and the [tag] will be changed into the belonging HTML-Tag like img and so on.

    Of course they have to include there also some security mechanisms but I think this would be very easy if you compare it to the actual situation they’re in.

  4. RSnake Says:

    BBcode is really no different than HTML in a lot of ways. If they want to allow things like <BODY tags at all, then they have to allow [body] which then leaves them open to other issues, as you know. The problem isn’t so much that they allow HTML is that they allow more HTML and more parameters than is safe. Whitelisting HTML and parameters is one way to slow the attackers down, although you are still relying on the inherent safety of the whitelisted parameters and your own filtering.

  5. VALINUX Says:


  6. Disenchant / Sven Vetsch Says:

    Of course, just as I said, they also have to implement some security mechanisms but I think it’s much easier to handle BBcode then HTML Code.

    PS: Anyway, when they really want to allow Tags like they must be crazy anyway ;)

  7. RSnake Says:

    You’re absolutely correct! Hahah

  8. digi7al64 Says:

    It appears that another 0 Day spoilt for all browsers exists,5048

  9. Mephisto Says:

    I’m suprised I haven’t seen any “Wanted: Experienced Security Minded Developer” ads for them anywhere yet!!

  10. ~ geeks? » Blog Archive » Live By The Web, Get Owned By The Web Says:

    […] As for MySpace, it’s the 5th time they got owned now. says: “It’s kind of comical at this point - anyone want to take bets on how many more tries it will take for them to get it right?” […]

  11. bubbles Says:

    Im betting it takes 10+ more xss vulns before they get it right.

    On, a side note, I feel bad for all the people using profile tracker… They payed $5/month for a patched exploit.