Cenzic 232 Patent
Paid Advertising
web application security lab

Month of MySpace Bugs

The month of MySpace Bugs is fast approaching. It’s targeted to begin April 1st (and no, it’s not a joke). Mondo Armando and Mustachio (not their real names, as you may have already guessed) are planning on releasing one or more vulnerabilities in the site per day as sort of a dig at the month of bugs stuff as well as a dig at MySpace who apparently they dislike. I’ve talked with Mondo and actually sent a few bugs over myself, so at minimum they’ll have a few bugs!

I think month of bugs are actually a great thing in a lot of ways. Primarily they raise awareness of the issues. The PHP month of bugs has really raised people’s awareness of how flawed certain things are in PHP and forced a lot of upgrades. You saw what happened in the month of browser bugs and now we are here. Although the month of MySpace bugs is a joke in a lot of ways, it does raise the real issue that a determined attacker can find 30 or more vulnerabilities in a system in a relatively short period of time, raising some real questions about the state of security of even the largest enterprises out there. And it’s not like this is the first time in MySpace’s history that they have been hit, so it’s not like they aren’t warned of the risks ahead of time. It should be interesting to watch. There’s more on this thread and Mondo himself posted to sla.ckers if anyone’s interested.

5 Responses to “Month of MySpace Bugs”

  1. Awesome AnDrEw Says:

    I submitted a vulnerability where remote files could be loaded, and cookie data could be hijacked. Hopefully it’ll make it on there, or I’ll just post it here and on my site.

  2. Spider Says:

    You know the other month of bugs were relatively tame. The vulnerabilities required a user to go to a untrusted, malicious site. Not entirely trivial for the average bored 15 year old to set up and exploit.

    Myspace is so high profile and easy to exploit, I wouldn’t be surprised if myspace suffers some serious downtime due to the exploitation of these bugs. And after fydoor’s experience, I wouldn’t be surprised if myspace went after livejournal or its registrar PAIRNIC.

  3. Awesome AnDrEw Says:

    What’s great about it though is that most of the vulnerabilities that do not have to be embedded in a user’s profile, and can be used via link will look safe to almost all of MySpace’s oblivious users, which would be most of them.

  4. rdivilbiss Says:

    After the fyodor incident, I moved all my GoDaddy business to another registrar. Not a huge cost to GoDaddy I’m sure, but I assume other’s did as well.

    I’m frequently asked for opinions on web development topics and always point out http://nodaddy.com/ to anyone who mentions they are interested or are using GoDaddy.

    The only way to fight back is via the pocket book.

    Unfortunately, I have no business with PAIRNIC or livejournal, but I’m hopefully others will move their business if they respond in a similar knee jerk reaction like GoDaddy.

    Trying to clue developers into the myriad ways of writing flawed web script, PHP or others, is a tremendous uphill battle.

    Most of the newer developers just want something that works and reject the idea they should do extra work to take precautions with their script.

    I don’t know if these tactics will be effective in teaching developers, but really MySpace is the ultimate winner because of the free vulnerability assessment.

  5. MustLive Says:

    MOMB is nice project. Like all other Month Of Bugs projects. And it will be interesting to watch it in the April. I already wrote about Month of MySpace Bugs at my site http://websecurity.com.ua/805/ (as announcement) and maybe I would write about this event like I did about Month Of PHP Bugs (which was the main event of the March).

    And I want to tell you guys that I also planning my own Month of Bugs. I was planning it from beginning of March (when Stefan started his MOPB) - it would be very interesting event ;-). First I planning to contact some top webapp security guys (and RSnake too) and speak about my project. In case that MOMB will be in April, I put my project into May. So there will be more information soon.