Request Forgeries on MySpace

I thought I would take a bit to explain some request forgeries Shawn Moyer and I found on MySpace and a couple of other social networking sites. These were demonstrated at our presentations at both Black Hat and Defcon. We found several functions were we could modify the request and trick the user’s browser in to making requests they didn’t intend. This is classic CSRF with an added advantage. The two demos we showed allowed us to get a victim’s web browser to send friend requests to a user of our choice and the other logged users out. There were also some more stealthy actions we could have taken such as block user communications from all visitors to their home page.

What made these request forgeries that much worse was that fact that we inserted them on the site we were attacking. In our case we used an image tag that linked to some offsite Python code doing a redirect back to MySpace. This basically gave us almost a 100% success rate due to the fact that we knew the user was viewing the page at that particular time. We could not only do this to profiles that we own but also anywhere that allows us to link to offsite content such as profile comments, photo comments, blog postings, classifieds, and many others.

I am not sure if people realize how serious this can be to the particular social network owner. If attacks using these particular methods propagate though the social network by some automated, semi-automated, or even planned method they could potentially cause DoS conditions that would be hard for the lay person to identify and fix. Being logged out constantly would be bad but more covertly someone could get you to block communication with everyone that visits your profile. That could be hard to catch.

Offsite Content = Fail

When you allow linking to offsite content you are inviting failure. This content is beyond the control of the particular social network. As an attacker all you care about is GET that the browser is using to retrieve the content. The fact that it fails on the return is inconsequential. What we did was use what was available to us on a MySpace profile page and comments, which was the IMG tag. We used the IMG tag to get the victims browser to make a request for an image that didn’t exist. This GET request from the browser hit a redirect which then sent a crafted GET back to MySpace with whatever payload we wanted. In our case it was a friend request or a logout.

Just think if MySpace disabled linking to offsite content, suddenly millions of MySpace profiles would instantly looked much better
icon_wink

Same Site Content = Fail

Sometimes content on the same site can equal fail as well. If the social network allows certain HTML tags such as iframes or meta tags these can be used to construct request forgeries as well. The src attribute of the iframe tag and the meta refresh can be used to specify other locations in which to request content. These would not even have to leave the social network and be redirected. This would make it SSRF (Same Site Request Forgery) or just RF (Request Forgery). Hahah. Ok, now this is getting silly, let’s move on.

Combining Technical and Social Attacks

Think about the impacts from combining a couple of these attacks with a social attack. For instance, you may want to take over the profile of another user. Most likely, based on privacy settings, you can see the friends of a particular individual. You tag their profile with a request forgery that blocks communication to all visitors of the profile. You then create a new profile of the person you want to impersonate and send their friends new friend requests. You could state that you forgot your password and want to re-add them as friends. Combined technical and social attacks can lead to a higher degree of success depending on what the attacker’s goal is.

This blended threat is going to be much more common in the future and we are starting to see this now. Sites that use social methods to get people to download malware or take an action that an attacker wants. The reason these attacks are so successful is the implied trust of the user and their complacency. Be on the lookout for this more and more in the future, especially as defenses go up.

Fixing Your Profile

If your comments, photo pages, blog, or some other part of your profile tagged there are a couple of steps you can take to remove the content and protect yourself in the future. Since the profile content is rendered HTML it takes a few steps to remove the content. In the case of a logout, comments will be rendered and log you out prior to you being able to remove them. What you can do is use something to block the domain that is calling the logoff, which will most likely be collect.myspace.com. Once you block that domain you can go ahead and remove the content, then re-enable collect.myspace.com. If it is something such as a communication block you can go ahead and just remove the content (which ever it may be) and then use some out of social network band to contact your friends.

You should also go through your profile settings and ensure that HTML comments are turned off wherever possible. This will help give you a better handle on what content people have the ability to put on your profile. Of course, this doesn’t help you visiting other people’s pages.

If you notice shenanigans where you suspect someone is doing something malicious you should report it to the abuse contact at MySpace or at the social network you are using. That is what they are there for. The MySpace security team is working hard behind the scenes looking for items such as described here, so make sure if you notice shenanigans that you report it to them.

Oh… I am already on their watch list so don’t blame it on me because they will know it wasn’t
icon_wink0_0 They are watching me 0_0