Myspace: April 2008 Archives

April 1st, 2008: Who Is Watching the Detectives?

We write about an interesting "system error" (as Myspace called it) that allowed people to track other Myspace users that were visiting their page, after having notified Myspace about this issue.

April 16th, 2008: Who Is Watching the Detectives Part 2

This still hasn't been fixed, and (worse still) it looks like this has been in circulation since at least October 2007. Hurry up, Myspace...

April 30th, 2008: It looks like this has finally been fixed, and it's no longer possible to auto subscribe visitors to your video subscription channel. Hooray! Score one for the good guys - that's one less tool hackers, Myspace Trolls and crapflooders can use to game the system.

One down, plenty to go....

A few weeks ago, I wrote about a technique that could be used to track the people hunting bad guys on Myspace. Well, I was curious how long this had been in circulation for. Thankfully, some of the people using this are pretty stupid so of course, wandering through their photo galleries proved particularly useful:

newcde1111.jpg

Check out the date - October 26th, 2007. So this has been in circulation since at least that date....oh dear. Note that this particular individual talks about using it in conjunction with IP trackers, too. I've been somewhat out of the loop on this one due to attending conferences, but I've just tried it out again and can confirm that it still works.

As we said in the original blog entry, if you don't want people to track you in this way (until Myspace actually fix this) then add the following to your HOSTS file:

vids.myspace.com

...and you should be fine.

It's well known that law enforcement, security researchers and groups that track down / remove pedophiles, trolls and crapflooders from Myspace spend a lot of time networking, watching profiles, tracking dubious individuals through their postings, friends lists and other things too numerous to mention.

It's a tricky business, and can potentially place people like myself at great risk of being found out, exposed or run over the coals if one of these bad guys works out you've been trailing them for the past three months.

What happens, though, when the bad guys have a method to know exactly who is watching them? And what are the consequences?

Well, ponder no more because they're already doing it. Someone, somewhere has come up with a method to track people using Myspace itself - if you visit that persons profile, they will know who you are and be able to take (in)appropriate action. This method is already in use amongst Myspace trolls, and has been seen pasted to at least one hacking forum. You can bet this is doing the rounds on the underground circuit.

How do they do this?

By taking a few lines of code and placing it onto their profile (note that we're not disclosing any information about the code yet, as Myspace are still fixing this and we don't want to help more people to use this than are already doing so). When you visit that profile, you are automatically subscribed to that persons video channel.

Simple, sneaky, effective. To the regular user, this isn't too much of an issue - people can paste in coded "trackers" onto Myspace pages that attempt to log IP Addresses, browser type, country etc. "All" this does is tell the bad guy which Myspace users have visited their page.

However, this isn't so good for anyone hunting down hackers, pedophiles and other dubious characters because

a) they will know if, say, Paperghost has suddenly started poking around their profile and
b) pedophiles and other predators will spot "Officer Jackson" popping up on their subscriber list and likely go underground or vanish altogether.

Worse, the code can be pasted anywhere - a hacker could place it on their blogspot blog, or a forum, or anywhere else for that matter - if someone visits that page while logged into their Myspace account, they will still potentially end up on the hackers subscriber list.

How does it work?

Well, here is a shot of my friend looking for me on Myspace:

msvids1.gif

Naturally enough, they find me:

http://blog.spywareguide.com/upload/2008/04/msvids2-thumb.gif
Click to Enlarge

They click on the top link, and visit my page.

http://blog.spywareguide.com/upload/2008/04/msvids3-thumb.gif
Click to Enlarge

However, if they now go and check their video channel subscriptions, they'll find they've automatically been subscribed to my video channel.

http://blog.spywareguide.com/upload/2008/04/msvids4-thumb.gif
Click to Enlarge

At this point, it's time to let my friend logout and log back in as myself. If we now look at a screenshot (which I took myself while logged in), you can see I have a new subscriber - the person that just visited my profile (bottom left):

http://blog.spywareguide.com/upload/2008/04/msvids5-thumb.gif
Click to Enlarge

As time goes by and more people visit my profile, they'll all find themselves automatically added to my subscriber list:

http://blog.spywareguide.com/upload/2008/04/msvids6-thumb.gif
Click to Enlarge

In this way, you will have a record of every single Myspace user that has visited your profile page.

How can you combat this?

Well, it's surprisingly easy to get around this scam (which Myspace are working to fix, by the way - we notified them of this on Sunday, and I know at least one other individual has apparently reported this too). If you're a regular Myspace user, you may not be too bothered by being subscribed to some random persons video channel. If it bugs you, simply go to

http://vids.myspace.com/index.cfm?fuseaction=vids.myvideos

Then click "My Subscriptions", and under the "Subscriptions by User" category it'll show a list of every person who you are currently subscribed to. Click their Username, then hit "Unsubscribe".

Job done.

If you happen to be in Law Enforcement, Security Research (or happen to be anyone that doesn't particularly want to be tracked in this way, for that matter) simply add the below to your HOSTS file:

vids.myspace.com

And all subscription attempts should fail miserably.

The last contact I had with Myspace was last night, and they said

"Hello,
We are working to fix this error. We do not have a reliable estimate at this time.

Thank you,
MySpace.com"

Hopefully, they will fix this quickly. The damage is already done, and bad people are using this to full effect. The issue here, is that the only people who seemingly didn't know about it were the good guys - the ones most at risk from this code. The only way to mitigate this risk to people hunting the bad guys is provide a simple (yet entirely effective) antidote to this latest wave of dubious behaviour, which we've provided for you above.

Take my advice and use it until Myspace can confirm this is entirely locked down.

Pages

About this Archive

This page is a archive of entries in the Myspace category from April 2008.

Myspace: March 2008 is the previous archive.

Myspace: May 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.