MyspaceIM Info Disclosure: Silently Fixed
TippingPoint (my employer) provdes quite a few instant messenger filters as part of our IPS device, since some of our customers have fairly strict usage policies for their networks. These guys know that most IM networks are cleartext, get bounced off of third-party servers, can act as P2P file transfer clients, and basically open up all kinds of potential security problems.
So, the other day, I started taking a look at MyspaceIM, which is the newest major entrant in the IM space. And by "taking a look," I mean, "Googling," since my first step in nearly any task is to see if anyone else has already done my job for me.
Turns out, nobody's really looked at it, since most Google-able analysis start and end along the lines of, "It's port 1863, so it's like MSN Messenger." Of course, if you actually take a look at the traffic, you will notice immediately that it's pretty much completely unlike MSN Messenger, except for the port 1863 business. So I had to work after all. Rats!
The divergence from MSN starts with the initial handshake -- it's completely cleartext. No huge deal there, cryptophiliacs. After all, it's just MySpace, and who cares if there's no encryption. Most webmail these days is still cleartext (except Gmail, if you ask nicely). Not to mention the regular old MySpace web application, in which passwords are sent in the clear. So in itself, this is not all that exciting.
But there was one interesting effect of watching the traffic -- while I was messing around with the protocol, it turned out that the MyspaceIM servers returned different responses for "bad username" and "bad password," in a big, obvious way. This was something that the website doesn't do, and so it's interesting.
Combined with the fact that there was no throttling on how many login attempts are thrown at the MySpace servers (aside from normal Internet flakiness), I had myself a pretty effective (if silly) information disclosure attack.
At very nearly the same time, the AHA 0day Carnival was scheduled. So tickled was I with this discovery that I presented it there almost immediately after discovery. My slides, Myspace Account Enumeration, are available here. Of course, this meant that I had to report it to Myspace pretty much immediately, too.
By now, careful readers and grammar nazis will have noticed that I've been mixing my tenses in this narrative, sometimes using the past, and sometimes the present. There's a reason for that.
Turns out, if you report a vulnerability to MySpace, two things seem to happen: a) if it's easy, it gets fixed in under a week (as in this case), and b) they don't acknowledge receipt of the vuln, or tell you thanks, or anything. In other words, they fixed it, and now my slides are all wrong.
That's fine, of course, and ultimately the point of my reporting it. But part (b) hurt my feelings deeply, especially since I work pretty closely with people who make it their business to keep vulnerability researchers well-fed and well-loved. I guess I was naieve, and thought everyone was as considerate, careful, and caring as the fine people at ZDI.
Part (b), of course, is a pretty dangerous practice, at least according to the RFPolicy.
One footnote to this story: Yes, you can do pretty much the same thing by merely trying to "Add" all your e-mail addresses as your MySpace friend. But this is annoying because you have to be logged in, deal with cookies and all that other HTTP cruft, and do it slow enough to avoid getting noticed by the anti-spam controls (assuming there are any). Someone else can tackle that.
So, the other day, I started taking a look at MyspaceIM, which is the newest major entrant in the IM space. And by "taking a look," I mean, "Googling," since my first step in nearly any task is to see if anyone else has already done my job for me.
Turns out, nobody's really looked at it, since most Google-able analysis start and end along the lines of, "It's port 1863, so it's like MSN Messenger." Of course, if you actually take a look at the traffic, you will notice immediately that it's pretty much completely unlike MSN Messenger, except for the port 1863 business. So I had to work after all. Rats!
The divergence from MSN starts with the initial handshake -- it's completely cleartext. No huge deal there, cryptophiliacs. After all, it's just MySpace, and who cares if there's no encryption. Most webmail these days is still cleartext (except Gmail, if you ask nicely). Not to mention the regular old MySpace web application, in which passwords are sent in the clear. So in itself, this is not all that exciting.
But there was one interesting effect of watching the traffic -- while I was messing around with the protocol, it turned out that the MyspaceIM servers returned different responses for "bad username" and "bad password," in a big, obvious way. This was something that the website doesn't do, and so it's interesting.
Combined with the fact that there was no throttling on how many login attempts are thrown at the MySpace servers (aside from normal Internet flakiness), I had myself a pretty effective (if silly) information disclosure attack.
At very nearly the same time, the AHA 0day Carnival was scheduled. So tickled was I with this discovery that I presented it there almost immediately after discovery. My slides, Myspace Account Enumeration, are available here. Of course, this meant that I had to report it to Myspace pretty much immediately, too.
By now, careful readers and grammar nazis will have noticed that I've been mixing my tenses in this narrative, sometimes using the past, and sometimes the present. There's a reason for that.
Turns out, if you report a vulnerability to MySpace, two things seem to happen: a) if it's easy, it gets fixed in under a week (as in this case), and b) they don't acknowledge receipt of the vuln, or tell you thanks, or anything. In other words, they fixed it, and now my slides are all wrong.
That's fine, of course, and ultimately the point of my reporting it. But part (b) hurt my feelings deeply, especially since I work pretty closely with people who make it their business to keep vulnerability researchers well-fed and well-loved. I guess I was naieve, and thought everyone was as considerate, careful, and caring as the fine people at ZDI.
Part (b), of course, is a pretty dangerous practice, at least according to the RFPolicy.
One footnote to this story: Yes, you can do pretty much the same thing by merely trying to "Add" all your e-mail addresses as your MySpace friend. But this is annoying because you have to be logged in, deal with cookies and all that other HTTP cruft, and do it slow enough to avoid getting noticed by the anti-spam controls (assuming there are any). Someone else can tackle that.
posted by todb at 10:55 PM
6 Comments:
You sent them an unsolicited piece of information. Sure, it would be nice, maybe even polite for them to give you back a note, but you aren't entitled to anything.
Also your comment that Part (a) is dangerous, I don't understand. How is it bad to fix the bug? Is a week too long?
you could just use the functionality that myspace already provide for this in their Search page:
http://search.myspace.com/index.cfm?fuseaction=find.search&searchType=network&interesttype=&country=&searchBy=Email&f_first_name=todb@planb-security.net&Submit=Find&SearchBoxID=FindAFriend
Whoops, you're right, paragraph #11 should have said "part (b)" as well. Edited to be accurate. (It's purportedly dangerous to ignore vulnerability reporters because then those reporters are less likely to contact you in the future.)
As for using the built-in search... well, there is that. In fact, it looks to be only a little bit slower than the MyspaceIM method, but it has the added bonus of picking out the Myspace FriendID, too.
Honestly, I didn't notice this method. I'm not exactly a Myspace expert, after all.
good read. This set me in motion to dig into the old myspaceim app. I decided to dig a little deeper and reverse engineer it to see if it was possible to create a myspaceim clone. The app I started on is in VB6 and at first I just wanted to see if I could connect and what data is being passed back and forth. After looking at your sample code, viewing the packets, and using IDA's Datarescue I noticed the password is now encrypted:
\\login2\196609\username\idwebmedia@yahoo.com\response\*** 84 alphanumeric string ending in == ***\keylen\128\clientver\529\status\100\id\1\final\\
I was curious how myspaceim was encrypting it so I traced the call to the variable holding the password and noticed it encrypts the password using this format:
name@yourdomain.com#529|password
* this is what is sent after \response\ and before \keylen
Now it does some bit shifting and encrypts it some how but i'm not a crytographer so I was lost after that but looks like some type of base64 encoding from what little research I did. I may start a blog somewhere to discuss security issues and post my findings and code. Hope this helps a litle to some people who make be curious or who wants to develop a clone to further test security issues.
Anthony
www.littlerockblog.com
HMM..
Like this?
Winsock1.SendData "\\login2\196609\username\archonis@gmail.com#529|password\" & Text2.Text & "\529\status\100\id\1\final\\"
This post has been removed by a blog administrator.
Post a Comment
Links to this post:
Create a Link
<< Home