Topic: "MOMBY myspace bugs are lame [example]." (page 1 of 1)

1
Author Post
unknown user
MOMBY set out to disclose bugs in myspace.com, you can read there rationale but i firmly oppose it.
They also want to make fun of the whole concept of "Month of the * bugs"
which imho generally have been quite decent, month of browser bugs/php/kernel/apple are a decent collection
and pretty insigthful.

All what momby has done, is disclose XSS vulnerabilities, (which we all know there are plenty of)
and a few logic errors.

I thought I would share a logic error with you all, that THEY made.

http://pics.livejournal.com/momby/pic/00009att

is one of their screenshots in where they "disclose" the fact that login/password is sent plaintext. Ok
this is a bad security descision, but hardly a bug...

Now the interesting bit, is how they filtered out their mac addresses, in the wireshark analysis window,
but they did not filter it in the hex dump. So everybody can simply read the mac adress of their pc, and their router/AP
which clearly are
00:03:2F:1A:74:DE pc
00:40:F4:EF:05:F4 router/AP


mac adresses aren't assigned to NIC cards randomly. the first 24 bits are a vendor ID, you can look up who made the cards
pc: Linksys WPC11, Repotec GL241101
router/AP: Cameo Communications, Inc.

the next 24bit are up to the manufacturor. Usually these are some sort of serial numbers; and manufacturors, will probably have a pretty
descent idea of where abouts the card was sold.

By obfuscating only one ocurrence they arise supsission. I believe this was not too smart of them ...

It's not lethal, authorities still need to do quite some work to get an exact adress, and since they are not really doing anything worth mentioning ...
but if they were cought that could be evidence they should not have created.
EMail
aceldama
groupmastergroupmastergroupmastergroupmaster
wow, i really do admire your knowledge rhican. as you already know, the bugs are sent to the two by users that discovered them (with a proof of concept as a prerequisite) so there is hardly a chance that the ac addresses are their's.

furthermore, you're not the first to have noted that the plaintext validation of passwords are a bug. (see the comments section) none the less, i'm still waiting to get a half-decent boafide bug off of them that isn't just an xss exploit. the entry on the 9th was almost good, but seeing as myspazz responded quickly, the hole is now no longer open for exploitation. guess that we could only hope fo something good to come through eventually.

but to say the least, only ne thing actually impressed me (albeit another xss hole) i'm equally disappointed - to say the least :no:
Edited by aceldama on 11.04.2007 00:59:13
private message
unknown user
bah i never read the comments :)

I doubt that it's an easter egg though. An easter egg is something extra, fun, not a check to see if anybody is listening.
That's classic teacher speak, when they make a mistake it's to see if you understood it ..

furthermore i hate their layout :D

and they clearly never heard of AJAX.
EMail
aceldama
groupmastergroupmastergroupmastergroupmaster
agreed. AMEN LORD RHICAN! :clap2:
private message

Topic: "MOMBY myspace bugs are lame [example]." (page 1 of 1)

1