Month of MySpace bugs: apply cluebat

From Slashdot – (disclaimer: I hate MySpace)

An anonymous reader passed us a link to PC World’s coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the ‘Month of X Bugs’, they are set up to ‘highlight the monoculture-style danger of extremely popular websites.’ Though it’s supposed to be funny, outside security analysts have apparently been consulted on the project.

“Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he’d been contacted by the Month of MySpace team with legitimate security questions. ‘Those guys and I have been keeping in touch,’ said Robert Hansen, chief executive of Sectheory.com. ‘It’s funny but it’s not a joke.'”

The article follows with a pretty good anonymous comment summing up my reasons against the site:

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

Solution: Delete Myspace.

The problem with MySpace is twofold, in my opinion:

  1. Its demographic consists of susceptible people. Susceptible, in this case, means “people likely to click the flashing banners.” It also means that anything with a vaguely social networking appeal will have a profound impact on these users, and as such, a modified login screen wouldn’t look too out of place.
  2. Its technical issues are vast, already. How many times has the site been exploited so far? Allowing raw HTML is a recipe for disaster, and combined with its userbase (who largely wouldn’t understand the concept behind closing tags) you have potential for thirty actual, bona fide bugs. Cross site scripting? Stealing cookies? Falsifying login fields? Installing spyware? Local denial of service exploits? They’re all there.

Unlike the Month of Apple Bugs, where the orchestrators had to reach for third-party applications to achieve a month’s work of exploits, this exposé has the potential to affect over a hundred million spambot accounts, and maybe 20 million “legitimate” ones.

Start up your firewalls and HOSTS file blocking, people…