Myspace: Who Is Watching The Detectives?

| | Comments (0)

It's well known that law enforcement, security researchers and groups that track down / remove pedophiles, trolls and crapflooders from Myspace spend a lot of time networking, watching profiles, tracking dubious individuals through their postings, friends lists and other things too numerous to mention.

It's a tricky business, and can potentially place people like myself at great risk of being found out, exposed or run over the coals if one of these bad guys works out you've been trailing them for the past three months.

What happens, though, when the bad guys have a method to know exactly who is watching them? And what are the consequences?

Well, ponder no more because they're already doing it. Someone, somewhere has come up with a method to track people using Myspace itself - if you visit that persons profile, they will know who you are and be able to take (in)appropriate action. This method is already in use amongst Myspace trolls, and has been seen pasted to at least one hacking forum. You can bet this is doing the rounds on the underground circuit.

How do they do this?

By taking a few lines of code and placing it onto their profile (note that we're not disclosing any information about the code yet, as Myspace are still fixing this and we don't want to help more people to use this than are already doing so). When you visit that profile, you are automatically subscribed to that persons video channel.

Simple, sneaky, effective. To the regular user, this isn't too much of an issue - people can paste in coded "trackers" onto Myspace pages that attempt to log IP Addresses, browser type, country etc. "All" this does is tell the bad guy which Myspace users have visited their page.

However, this isn't so good for anyone hunting down hackers, pedophiles and other dubious characters because

a) they will know if, say, Paperghost has suddenly started poking around their profile and
b) pedophiles and other predators will spot "Officer Jackson" popping up on their subscriber list and likely go underground or vanish altogether.

Worse, the code can be pasted anywhere - a hacker could place it on their blogspot blog, or a forum, or anywhere else for that matter - if someone visits that page while logged into their Myspace account, they will still potentially end up on the hackers subscriber list.

How does it work?

Well, here is a shot of my friend looking for me on Myspace:

msvids1.gif

Naturally enough, they find me:

http://blog.spywareguide.com/upload/2008/04/msvids2-thumb.gif
Click to Enlarge

They click on the top link, and visit my page.

http://blog.spywareguide.com/upload/2008/04/msvids3-thumb.gif
Click to Enlarge

However, if they now go and check their video channel subscriptions, they'll find they've automatically been subscribed to my video channel.

http://blog.spywareguide.com/upload/2008/04/msvids4-thumb.gif
Click to Enlarge

At this point, it's time to let my friend logout and log back in as myself. If we now look at a screenshot (which I took myself while logged in), you can see I have a new subscriber - the person that just visited my profile (bottom left):

http://blog.spywareguide.com/upload/2008/04/msvids5-thumb.gif
Click to Enlarge

As time goes by and more people visit my profile, they'll all find themselves automatically added to my subscriber list:

http://blog.spywareguide.com/upload/2008/04/msvids6-thumb.gif
Click to Enlarge

In this way, you will have a record of every single Myspace user that has visited your profile page.

How can you combat this?

Well, it's surprisingly easy to get around this scam (which Myspace are working to fix, by the way - we notified them of this on Sunday, and I know at least one other individual has apparently reported this too). If you're a regular Myspace user, you may not be too bothered by being subscribed to some random persons video channel. If it bugs you, simply go to

http://vids.myspace.com/index.cfm?fuseaction=vids.myvideos

Then click "My Subscriptions", and under the "Subscriptions by User" category it'll show a list of every person who you are currently subscribed to. Click their Username, then hit "Unsubscribe".

Job done.

If you happen to be in Law Enforcement, Security Research (or happen to be anyone that doesn't particularly want to be tracked in this way, for that matter) simply add the below to your HOSTS file:

vids.myspace.com

And all subscription attempts should fail miserably.

The last contact I had with Myspace was last night, and they said

"Hello,
We are working to fix this error. We do not have a reliable estimate at this time.

Thank you,
MySpace.com"

Hopefully, they will fix this quickly. The damage is already done, and bad people are using this to full effect. The issue here, is that the only people who seemingly didn't know about it were the good guys - the ones most at risk from this code. The only way to mitigate this risk to people hunting the bad guys is provide a simple (yet entirely effective) antidote to this latest wave of dubious behaviour, which we've provided for you above.

Take my advice and use it until Myspace can confirm this is entirely locked down.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on April 1, 2008 5:25 PM.

Hopeless EMail Phish was the previous entry in this blog.

Comments Now Working Again is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.