i didn't know exactly where to put this, so i decided on adding to this thread instead of creating a new one. essencially it's loosely related to the whole myspace theme.

social networking sites have always been something interesting to "get into without geting into" for me. so recently i've just been poking around and (no, i didn't hack into myspace but) found some site that i assume are run by hackers for the purpose of viewing private profiles if you're willing to blindly part with your cash. these sites can be found here and are both run by (what i asume to be ) the same people (as will become apparent that they didn't change their code framework):

-- hxxp://eskobarcartel.com/NEWHACK23.swf
-- hxxp://www.myspacegtx.com/main.swf

now the interesting thing is in the sourcecode of these swf files. apparently they don't really care about any way or form of sensitive directory disclosure (apart from the assumption that people can't get into an swf file). in the first one the sourcecode looks like this:

    ...
    tries = 3;
    redirect_url = "yes";
    sealed_txt = "Status Sealed, contact your local admin";
    wrong_txt = "Wrong password or Username, please try again";
    xml_path = "xml/users.xml";
    ...

note the xml_path variable which yields:

...
<user>
fucck
<pass>notsomuch111</pass>
<url>http://www.myspace.com/tixv3</url>
</user>

<user>
lbaby
<pass>muser01</pass>
<url>http://www.myspace.com/tixv3</url>
</user>

<user>
matty
<pass>wallyhead</pass>
<url>http://www.myspace.com/tixv3</url>
</user>
...

the second actually uses the exact same directory, though it wasn't saved in the main file. you can find that in the section_5.swf file which was linked from main.swf, yet everything was again completely unencrypted and incidentally uses the exact same code to fetch it. now if you were lazy you could just have checked the headers that were exchanged. there you'll find that both the swf files called users.xml directly using a get request. using firefox's live headers extention it wouldv'e looked like this:

...
GET /xml/users.xml HTTP/1.1
Host: www.myspacegtx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
...

now before you get all excited, though this gets you to log in, unfortunately it doesn't get you anywhere except the page that tells you that - had you paid for it - you've probably just wasted about $14 of your hard earned cash...

...moral of the story?
1) don't pay for dodgy services
2) even if you assume that the average joe can't get into your swf files, do't assume no one else can.