Two hackers are planning to fill April's calendar with a month's worth of MySpace vulnerabilities - if the project isn't an April Fools' Day prank.The pair, known only as Mondo Armando and Mustachio, revealed their plans on Thursday on a LiveJournal post, saying the purpose of their project is "to highlight the monoculture-style danger of extremely popular websites populated by users of various levels sophistication."
"We could have just as easily gone after Google or Yahoo or MSN or ZDNet or whatever," the hackers said, adding that they didn’t think MySpace is as forthcoming as it should be about security issues.
The duo also referenced convicted MySpace hacker Samy Kamkar by commenting, "Also, Samy is my hero" in their Friday post.
Kamkar was sentenced in January to three years of probation and ordered to carry out 90 days community service for a cross-site scripting worm he unleashed on the social networking site in late 2005.
The hackers also urged colleagues who have discovered MySpaace bugs to send information on the flaws, saying they’ll accept any proof-of-concept bugs that have MySpace application and are unpatched.
Andrew Storms, director of security operations at nCircle, told SCMagazine.com today that the project could be an elaborate April Fools’ Day joke.
"Quite honestly, from the information I’ve been reading, the level of professionalism compared to the other (month-long bug projects) is just not up to pace with the other guys," he said.
And while he thinks month-long vulnerability projects are beneficial, Storms said he’d like to see hackers give vendors and software creators advanced warnings on the release.
"I think the best thing to say is that ideally we’d like to see these continue, but in a more organised fashion," he said. "It would be nice [for hackers] to give their 30 bugs to MySpace this week, so at least it would give the vendors a heads-up, as well as the security operations, so they could say, ‘We knew it was coming.’ Then they could release the bugs every day."
A MySpace representative could not immediately be reached for comment.