Two hackers on Sunday began their planned month of MySpace bugs project that is expected to reveal 30 vulnerabilities this month that affect the popular social networking site.The pair, known only as Mondo Armando and Mustachio, said on their LiveJournal site on Saturday that they plan to notify MySpace of each bug prior to publication, but they were not hopeful security officials would respond.
"We are not working with MySpace, although we would be happy to," the hackers said, adding they are using the month to highlight the dangers of sites similar to MySpace that have "users of various levels of sophistication."
Over the next few weeks, the hackers said they plan to reveal a variety of bugs, including flaws for cross-site scripting (XSS) attacks or ones that permit unauthorised access to user profiles.
The pair kicked off the initiative with a well-known vulnerability. Users can edit their profiles using cascading style sheet (CSS) language and customise their profile URLs. That means hackers conceivably can create the profiles to resemble the MySpace login page and use a legitimate-sounding URL to trick users into giving up their credentials.
"It’s a pretty light one and we don’t really expect the MySpace Security Squad to actually do a lot of code changes on Sunday," the hackers said.
Today the pair disclosed a vulnerability on the "cms.goto" application of "profile.myspace.com." that is caused by a lack of input validation and can lead to an XSS attack.
A MySpace spokesperson could not immediately be reached for comment.
Jeremiah Grossman, CTO of WhiteHat Security, told SCMagazine.com today that the project underscores the vulnerability of most sites on the web. However, hackers are more likely to target MySpace flaws because the site has more than 130 million members.
"It's just a popular target," he said. "Nothing's necessarily more susceptible about it."
The undertaking is interesting because it focuses on a particular site, not a product or a system component as similar month-long projects have done, Grossman said.
"The popular websites out there are going to have to deal with disclosure just like the Microsoft and Oracles of the world," he said.
And over the summer, the site suffered from flawed banner ads that hosted the Windows metafile vulnerability, permitting drive-by downloads.