lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <116791eb0601061159n30e317adl949dbe3bed5cb339@mail.gmail.com>
Date: Fri Jan  6 20:00:06 2006
From: compromise at gmail.com (Xavier)
Subject: FW: myspace - add hundreds of friends instantly
	and automatically with this awesome tool

Debasis,

it looks like the 'bot' simply automates the process in which friends
are invited, or at least thats what the FAQ seems to make one think:

"Q: Picture varification code comes up while adding friends
why?
A: One of Myspace's new security features.  It pops up
every once in a while, just punch the numbers in and the
program is good to keep going."

if this bot indeed exploited some sort of XSS hole, and propagated, or
used some sort of attack technique to automatically invite users
without acceptance of the target user -- then that'd be interesting to
dissect. however I do not think that is the case:

"Q: It stoped adding friends. What happened?
A: MySpace.com has limits in their site where you can only
add so many at a time. Try to stay under 450 per day and
you sould be fine."

as for that 'virtually invisible' part, now I'd like to know what the
author of that site meant by that -- unless a second account is
created to send the invites from, and within the invites themselves
contained the real user seeking friends. *shrug*

-- Xavier.


On 1/6/06, Debasis Mohanty <mail@...kingspirits.com> wrote:
>
>
>
> Although I am not much familiar  with myspace and have never used it but the samy's outbreak was really  interesting and dragged my attention a little towards such worms.
>
>
>
> It seems 'samy' is not alone in  this field and there are couple of bots seems to be still exploiting myspace. http://myfriendadder.com/index.html
>
> The interesting part is this  particular bot claim to make the attacker's login ID invisible to the admins -
>
>
>
> http://myfriendadder.com/faq.html
>
> <snip>
>
> Q: Can I be banned by using this  program?
> A: This version of the program makes you  invisible to
> myspace.com admins making you  'virtually unbannable'.
>
> </snip>
>
>
>
> A myspace friend adder bot project  bid can seen here
>
> http://www.getafreelancer.com/projects/Visual-Basic/MySpace-Friend-Adding-Bot.html
>
>
>
> A quick googling  result
>
> http://www.google.co.in/search?q=myspace+bot&btnG=Search&hl=en
>
>
>
>
>
> - Debasis
>
>
>  ________________________________

> From: myspace technical  group [mailto:support@...pace.com]
> Sent: Friday, January 06, 2006  1:33 AM
> To: mail@...kingspirits.com
> Subject: myspace - add  hundreds of friends instantly and automatically with this awesome  tool
>
>
>  This message  was brought to you from your subscription to myspace
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ