Every day I spent my time researching new ways to do things I have done for years, for example this weekend I spent 27 hours researching a new way to present Java EE HTTP uploads using AJAX, Servlets and EJB's. Yeah I know - blah blah, "we all do that kind of thing, who cares". But AH! I have been doing the same thing for something we are all familiar with. MySpace! Yes its rubbish, yes its been hacked together from ColdFusion and ASP .NET elements and YES it always seems to be broken, BUT there seems to be a massive market out there for people who want to make a quick buck from generating MySpace friend adders, or mass commenter's. They charge a fortune to download these applications to spam other MySpace users, why can't I make a free one? screw those guys… lets open source it! So I thought - How hard can it be? so I started to investigate and I was quite excited as to what I found. Step 1. How MySpace Authenticates Users I decided to write my own open source application to send mass messages, add friends etc. Just to see if I can do it. so I booted up NetBeans (my fav!) and created my new 'soon-to-be' open source project, (I am keeping its name quiet until I launch it) So to begin with I needed to understand how MySpace authenticates users - this would eventually explain why so many MySpace accounts can be hacked so quickly. First of All I needed to boot up Ethereal so I could watch what was coming in and out of my prototype MySpace application. The first thing I did was try a basic form submission, just like the login form on the homepage, here is what I submitted and what I saw come back to me… 
Now you see from this image I just submitted my email address (username) and password to the MySpace login.cfm (which is actually a ASP .NET system and not ColdFusion at all). I decided to use an User-Agent that mimicked Mac OSX running FireFox, just because that's what I use normally. If you have no idea what a User-Agent is, this might be the wrong article for you. I got the following back from MySpace, it was NOTHING but cookies and a HTTP re-direct: 
This screen shows a successful login, The cookie requests contain the all important MYUSERINFO cookie. This is a base64 encoded string that contains goodies and itentify you to MySpace. If you don't submit this most essential cookie back to MySpace each time you want to view something that requires a valid session, you will find yourself back at square one. So all that said, lets look at a failed login attempt and see what we get back from MySpace 
HERE IS HOW PEOPLE'S ACCOUNT'S GET PHISHED. Because you can brute force email addresses and basic passwords (which is what most MySpace passwords are based upon). You can submit your brute force attack a hundred times a second! because this is an HTTP attack. But because we are NOT trying to hack INTO MySpace, and rather just Hack it, lets move on. Step 2. Once we have our cookies, how do we do stuff? like send a message If you are a little lost at this point, I am sorry! I would love to write a step by step guide as how to write the code to accomplish this stuff, but its a skill you need to learn as a hacker! I code in a variety of languages, so its not important which language you use, just that you use it properly (if you are coding in PHP or Java, give me a shout, I can help you out). Anyway again I digress, so lets send a message to someone once we are logged in. Now this requires some thought because you have to adhere to the .NET standards (of which I know nothing about so I really had to fumble about with this one). In order to send a message you need to a) be logged in and b) know the friend ID of the user you want to message. One of the MOST IMPORTANT slabs of info that MySpace requires in order to successfully submit a message via HTTP is the VIEWSTATE. Now I had no idea what the hell this was and after hundreds of attempts I eventually worked out that this is an essential part of the .NET framework. If you are interested then view more about it here So to send a message what I did was request the send message page from MySpace (http://messaging.myspace.com/index.cfm?fuseaction=mail.message&friendID=YOURFRIENDID) and scanned for the __VIEWSTATE variable…… here is what I saw.. 
The View State variable is a Base64 encoded hidden variable. Trust me without submitting it, you will find it just won't workm your message might get the OK but it won't be delivered. You need to get this variable otherwise its all pointless. If now you have worked out the regular expression to extract it (or if you are a lazy swine - here it is) id=\"__VIEWSTATE\" value=\"([\\w/-_].+)\" Now you can submit your message, here is something I sent to myself from myself (another account of course) 
So the message has been sent? Providing that the annoying Captchaimage didn't crop up and ask for authentication (sorry not cracked this one yet) then your message should have been sent and should look something like this: 
And if you were to view that message… it would look like 
We sent a message! this means all we need to do is grab a list of Friend ID's and we can mass message everyone. How do we grab a list of friend ID's from a user? what is the regular expression? how how how? I will show you how in Part 2 (coming soon) - Dave
36 Responses to “Hacking MySpace - The Basics - P1”
- 1 Pingback on Oct 18th, 2007 at 4:03 am
Comments are currently closed.
Search
Months
Recent Entries
- Installing JMagick on Mac OS X
- POLL: 2008’s Largest Security Upset, So Far
- RIAA Lobbies at DNC
- MBTA Put Profit Before Security
- anniversary: two years old
- Chinese Pervasive Censorship Culture
- Unintentional Betrayal or Faux Ignorance
- POLL: Dan Kaminsky’s DNS Poisoning Bug
- Proactive Action Needed in Ballistic Forensics
- High Performance Computing with CUDA
Worth Reading
- More McAfee Snakeoil Ranting - I know a lot of people are just tired of the same old PCI ASV rant that really surfaced last year, but I got an email today and I thought it was worth a re-post. Mike Bailey sent this over and I
- (ISC)2?s Newest Cash Cow: The CSSLP Certification - Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional
- Fake Story Still Fake, Media Still Clueless - About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command
- [cite required] - Someone asked for a cite on the Consumer Reports claims in my Black Hat 2008 slides. I went and tracked this down, and I actually picked this up from the Meandering Wildly blog. Looks like I
- Dead Bugs Society: Apple File Server - For today’s installment of Dead Bugs Society, I’m going to dig up another one of my favorite exploits. This exploit is actually the second exploit that I wrote for the Apple File Server
- Gartner DOES have a sense of humor - sometimes - Greg Young (here) and John Pescatore (here) have started blogging on the Gartner Blogging network and many of the posts are both enlightening and humorous, such as this post from Greg Young on how to
- Detecting Anonymizing Proxies - Anonymizing proxies are often used by people who wish privacy, or to circumvent access controls. High profile political cases such as circumventing the Great Firewall of China and the protection of
Dave,
Hey nice idea so far. I don’t care much for myspace but I think you have a interesting project developing here and something that a lot of myspace users would really like to have. What are some of the commercial app names if you know of any, I would like to take a look at those to compare with what you are putting together?
word
cj
Hello Dave
I was working on a small API for extracting the whole friendslist from a user and found out that it wasn’t easy to get all of them. Getting the first 40 friends wasn’t a problem at all, but after trying to send the needed Post Data to the site it always returned an error. It might have something to do with the __VIEWSTATE parameter, even if I returned it completely.
I wonder If you will success to get the friendslist in Part two! When will you Post it?
Best wishes
Stephan
IF YOU WANNA HACK BY YOURSELF…THEN WE MAY HELP YOU BY CREATING A LOOK-ALIKE SO CALLED PHISHING YAHOO MAIL / HOTMAIL / MYSPACE / GMail / AOL / FACEBOOK PAGE.. IN JUST 2 MINUTES.
OUR GROUP IS BUSY ON OTHER PROJECTS, AS SUCH WE ARE UNABLE TO HACK INDIVIDUAL IDS. SO IF YOU NEED A PHISHING SITE, WE CAN HELP YOU OUT. THROUGH THE PHISHING SITE YOU CAN HACK AS MANY IDS YOU WANT TO, JUST BY SENDING THE LINK THROUGH ANY MEANS (OFFLINE/ONLINE/EMAIL) AND ASKING SOMEONE TO SIGN INTO THAT PAGE SAYING SOMETHING INTERESTING WHICH ATTRACTS THE USER. ITS THE PERFECT, SAFE AND EASIEST WAY TO RIP SOMEONES PASS.
AS SOON AS THE USER SIGNS INTO THE PAGE, YOU GET HIS/HER USERID AND PASS. THRU EMAIL INTO YOUR OWN INBOX. FOR MORE GUIDANCE, I MAY HELP YOU. IF INTERESTED, MAIL ME ON magi_rn@yahoo.com !!!
HYMEN_HACKER
You are a complete fool. You obviously know nothing and most likely have nothing productive to contribute to this world.
Please ‘go away’.
HYMEN_HACKER
?…. wow….
Is he for real? Its just really hard to think people are like that. But I’m not about to judge or anything….. maybe he just… ah Dave you are 100% correct and I could not have said it better.
cj
This is exactly what I expected to find out after reading the title ng MySpace - The Basics - P1 at theReformed. Thanks for informative article
I’m posting here to ask for help relating to this topic. If you don’t feel like helping random people (I’m not even trying to hack anything; I just have a problem with a myspace account and this sounds similar) then you can stop reading here and ignore the rest.
I’m a competent, somewhat above average-level PC user but I don’t really know anything about hacking; I was just wondering why my myspace account is perpetually in “suspended for 15 mins. due to excessive failed login attempts” mode and why even when I comply with the CAPTCHA request, the CAPTCHA screen just reloads and nothing ever actually happens, and myspace help won’t even bother responding to my requests.
Does this mean someone is trying to phish my account? And if so, what can I do about it? As I said I have little to no knowledge about how hacking is done, and so any help that could be offered would be extremely appreciated. Please contact me at the e-mail address provided above.
sounds like someone is phishing, although this really isn’t the place for myspace help! sorry.
I couldn’t understand some parts of this article ng MySpace - The Basics - P1 at theReformed, but I guess I just need to check some more resources regarding this, because it sounds interesting.
Found a neat trick on viewing private pictures on myspace something I doubt they can fix. Im going to follow fashion here and assume people viewing this have some sort of knowledge if not google.com knows all ….lol therefore without further addddewwwwww I discovered that myspace uses a few mirror links…whats important about this is that the one I found dealing with profile pictures now allows me to see anyones pictures even THOSE SET TO PRIVATE!!!! why people upload pictures and set them to private is beyyyyyond me..I must send you on an educational journey to give my exploit as i call it would be to simple. The one thing i can say is that it does exist! The one other thing i can say is that don’t hate this suspense lol….nahhh seriously pay close attention to myspace urls..specifically AlbumID= and UserID= combine those with a certain service myspace provides when you click on add/edit photos copy some code hint hint edit some varriables hint hint use your brain (hard part) load your code on a notepade txt file save the file as whatever.html bam there ya go sadly if someones profile is set to private this will not work so as useless as this was reading i hope it was educational again this trick will work if it is not set to private but their pics are set to private…..good luck..oh by the way dave i did what your talking about in your article in with mere javascript..harder to parse friend ids casue getting an entire list on 1 page is difficult…but perl does the trick page by page …no longer have that script but it was kool..so good luck on yours im glad someone is finally doing that
sorry dude i was half sleep when i wrote that lol…spelling is at-ro-shus
nmnm
WOW i just tested something yesterday dropped a phishing line in to the ocean of myspace used jotform.com for bait and what I found is that you can still hide the top bar of links
div table td font {display: none;}
Home
|
Browse
|
Search
|
Invite
|
Film
|
Mail
|
Blog
|
Favorites
|
Forum
|
Groups
|
Events
|
Videos
|
Music
|
Comedy
|
Classifieds
div div table tr td a.navbar, div div table tr td font {display: none;} - - - >
like so and insert your little link in the most common place people will think to click after they leave your page…Home.. seems myspace now shuts down the victims account requesting them to change their password and advises them that their account was phished..awful nice of them if ya ask me.
fantastic, inquisitive work dude =)
ty very much
Hi
Very interesting information! Thanks!
Bye
want to check my girlfriend’s myspace
Great comment.
I am sure you’ll read my diary..
Thank You Again
I am interested in obtaining my girlfriend’s myspace password. I know her username and was wondering what I can do, as having little to know knowledge of having, to obtain her password and log on to her account. I heard brute forcing was fairly simple, and was wondering if any of you have any suggestions. Thanks for the help!
little knowledge of hacking* sorry for the typo, its late!
@bobbyg & rebel son
This request falls on deaf ears. Not only does the action you’re referring to violate a handful of laws it is on par with the likes of the now infamous “How do I hack hotmail?” request.
My suggestion, if you’re in a position where you must be so concerned with your girlfriend’s dealings in private online, you need to get yourself another girlfriend.
http://allshowbiz.net/myspacesurfer.html
the safe way of browsing myspace faster? better? noo i wouldn’t say so convience yeah but ya still have get myspace user ID numbers to really use it unless your simply randomly browsing
try it out. IF i wasn’t so lazy id write a perl script to start parsing ID’s off of friends pages with over 10,000 users and set it to fill an additional drop down menu with them. Then use a javascript automatic setTimeout script to onsubmit(); through the list to add friends send messages or what have you. Sadly myspace does not work well will frames so yet another bridge to cross is created.
dude if anyone has a good code to parse myspace friend ID’s into a select box ive now completed a method of automatically sending out friend request I know I know a real coder would simply google it and learn lol method i have is crude at best not to mention slow and cumbersome and time consuming I was just wondering if anyone thought outside of the box a little better than I have. To visit a page and be able to parse all the id;s from a friends list….I will give away a few tips, tricks, for you in this message though myspace puts your entire friends list into a select box in 3 places 1. when you forward a message to someone, 2. when you forward a frined. 3. when your sending an event invite out but in this case it spilts the list up into groups of 40. The third one is the one im most intrested in …the thrid method is done by parsing the friend id;s from the online myspace messanger view the source when your sending an event invite and you will see the it in the javascript code towards the middle..of the page. well im off to google im sure i’ll find something. Good luck to you all in whatever your trying to do be smart, be safe
@showbiz4me
Extracting a true list of any users friends cannot be done in the way you have mentioned. You need to view a friend list, parse the list for that page and then iterate through the list (pagination) using a series of complicated post backs (MySpace have put this in place to stop day scripters trying their luck). I have actually managed to perform this but it took me a good while to reverse engineer. If you want an hint, follow the JavaScript trail: when you mouse over a “view next 50 friends” see what JS function is called, you will eventually work it out. But if you are not a software engineer you may as well forget it - the process of reading and parsing and iterating through the forms can get complicated.
@ D.Shanley
yeah I see the function your talking about. Its also commonly used in many other friend adding bots ect…..clever!!! Thank you for that …..The thing thats bothering me now is this cursed HASH CODE!!!!!!! thats the only thing needed to send add to friends request to anyone on myspace I broke the form down line by line took away every javascript on the page the first 30 or so characters in the hash code are always the same they change depending on who your sending a message to so my guess is the only way now to send an add 2 friends request has to be to download the entire page parse out the code and resubmit it
Is this a MD5 hash that you’re aware of? Tried milw0rm’s hash crack @ http://www.milw0rm.com/cracker/insert.php ?
Can anyone help me with a myspace password?
I need to find out if my gf is cheating on me.
hack this guy for me, he is a fuck head
http://www.myspace.com/adrienfrommyspace
Why doesn’t someone use this finding to input a friend id… for instance if u know a private page and you know a friend of the private page you could use that id to view the profile
how can i get my girlfriends e-mail and password on myspace,if u can ,can u help me please,i really appreciate ur time on reading this,her addres bar is :
http://www.myspace.com/71782607
my e-mail is azteca_medival@hotmail.com
send me the information there please
once again ,thank you
how do you hack a friends myspace account… its ma boyfriends i think he may be cheeting on me and i want to find out. please help me
ty much
hey i kinda need help this chick stole my pics and stuff of my myspace and i was wondering if you could help me hack in it so i can like delete my stuff
freaklepuss@hotmail.com
please hellp
thanx
WOW! every time some one sees somthing about hacking myspace.. they all come in with there usless comments about, can yu hack myspace and see if my bf, or gf is cheating on me.. we are de codeers ect “hackers” we cant just hack myspace and other programs for the fun and to see if you lamo bf or gf is cheating on you.. give it up plz.. also im now geting into hackingive started with novel, and on campus logs.. if you want to talk im on msn, as cohourt… thx for the info.. and can you send me a message on how to find the program you used to find the “http” ect..
:D thx
I think these people requesting hacks to view their “boyfriend’s”/”girlfriend’s” myspace accounts need to be entertained in ways a sex-starved, bastard-son-of-a-hooker, Dungeon and Dragon playing, Mormon virgin, living in a barren tundra of Alaska can only dream of.
That way they will soon realize there are better things in life than say stalking someone.
Like the ability to deficate and be proud of what you created.
http://www.myspace.com/sexigreeneyedchic some one please hack this bicths page
Because of the sheer amount of idiotic ‘please hack’ requests and other ignorant comments associated with committing criminal acts or servicing self-serving ideals by a small percentage of participants, we’ve decided to shutoff any further commenting to this article.
We apologize to those of you that have or wish to submit valid questions or argument and encourage you to contact us via our e-mail instead. Thank you for your understanding.