The month of Facebook bugs begins!

As posted previously by theharmonyguy…the month of Facebook bugs has begun!

One of our contributors theharmonyguy will hopefully be posting one Facebook application bug per day for the month of September.  He is going to keep this up for the entire month if he can.  He does need your help though!  If you have a bug you found either in Facebook or in a Facebook application, please send it to theharmonyguy [aT] gmail.  Full credit will be given to you for finding a bug.

Lets hope this month we raise some awareness of vulnerabilities in Facebook and the Facebook application platform!  Look for the hashtag of #FAXX on Twitter for news and alerts on new vulnerabilites found this month.

You can find out more information in this great article over at DarkReading on the month of Facebook bugs.

Defeating MSPLinks on MySpace

myspace_msplinksThe following post is a contribution from a researcher called “anti-social”:

A few years back MySpace implemented MSPLinks as a way to defeat spammers from posting their spam URL’s. The idea being that spammers couldn’t make money if they constantly had to buy new domains. The idea worked to a pretty good extent once MySpace finally figured out how to filter all the XSS vulnerabilites they had when sanitizing profiles.

About a year ago, MySpace added to MSPLinks a phishing warning screen to inform users that the site they were going to could possibly be malicious. This screen can be easily defeated by a simple post method with a hidden field. That’s because MSPLinks.com trusts post requests from MySpace.com.

A working example can be found at: http://www.myspace.com/socnetsec

If you click the 1st button under the “About Me” section, the phishing screen isn’t shown (IE and Safari takes you straight through to the link, Firefox pops up a warning asking if you want to post your data to MSPLinks)

If you click the 2nd button, you’ll notice that you’ll be taken to MySpace’s phishing window.

Here is the simple html code in the profile:

<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="POST">
<input type="submit" name="coolbutton" value="SETTING DISCHECK" />
<input type="hidden" name="discheck" value="on" />
</form>
<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="GET">
<input type="submit" name="coolbutton" value="NO DISCHECK" />
</form>

What’s the point?  Even with SPAM and URL filtering on social networks like MySpace…they can be easily bypassed.  Since 2007 there have been many different ways to bypass MSPLinks (just do a Google search), this is just another method.  Also, because social networks encourage user generated content, clicking on any links that are posted by the user can lead to bad things.  Especially if they are already masked like they are via MSPLinks.  MSPLinks have now become even more dangerous because you trust MySpace is filtering these links.

Hopefully, MySpace can come up with something better then MSPLinks as they are pretty much useless to fight SPAM and links to malware sites.

Call for Volunteers and Contributors!

Want to help out with socialmediasecurity.com?  Have content and/or ideas to contribute?  Join our volunteer mailing list to join the discussion!