April to See Month of MySpace Bugs

An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"

But April only has 30 days

You'd think they'd do a year of MySpace bugs.

Re:But April only has 30 days

Wow, looks like someone forgot to check "Post Anonymously".

Re:well

[Omnifarious]

Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.

Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID. Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).

Myspace allows XXS redirect for malware execution

I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html, and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!

clown shoes security?

[sfjoe]

I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

Bug Filing Number 1

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

Solution: Delete Myspace.

but...

[netdur]

myspace itself is a bug

Re:but...

[Rakshasa+Taisab]

Some complain that the "Month of MySpace Bugs" should have moved to May, so as to avoid the unfortunate collision with the "Stealing Candy from Babies Day".

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.

Re:It's that time of the month again

[joebagodonuts]

I know you are, but what am I?