MySpace obliterates security researcher’s profile page

Posted by Humphrey Cheung

Las Vegas (NV) – MySpace gave a digital smackdown to a security researcher yesterday after he had disclosed security vulnerabilities in the popular social networking site.  

Speaking at the Defcon computer security convention, Rick Deacon demonstrated a cross-site scripting attack that uses a combination of JavaScript, iFrames and a separate web server.  By tricking users into clicking on a bogus link, he showed that it is possible to copy session cookies and log data into the victim’s MySpace page.

MySpace apparently had knowledge about the talk and almost immediately sent a Terms of Service violation notice via email and deleted Deacon’s MySpace profile page.  “There was probably a MySpace rep in the crowd and I think he called into headquarters.  By the time I got back to my room my account was deleted,” the 21-year-old Deacon told us, adding that it all happened within approximately five minutes.

According to Deacon, the email was generic, almost like a form letter that addressed having pornography or copyrighted music on a MySpace page.  Hacking was not mentioned in the email, Deacon said.

“Cross-site scripting attacks are really easy",  Deacon noted.   He told us that the vulnerabilities have been known for months and that it only took five to ten hours of research to craft a workable attack on MySpace.

Deacon stressed that his cross-site scripting attack is not specific to MySpace and could be done to other websites.  “Many of the Web 2.0 sites are vulnerable,” said Deacon.

MySpace apparently fixed the vulnerability a short time later and Deacon’s attack will now redirect to a Google page

Deacon’s MySpace page wasn’t the only high-profile page deleted over the weekend. You may remember the carnage that erupted after Michelle Madigan, the associate producer of NBC Dateline, was discovered and expelled from Defcon for secretly videotaping attendees. Coincidentally, her MySpace and LinkedIn pages were also deleted over the weekend; it is unknown if she deleted the pages herself.

Despite having his MySpace page deleted, Deacon told us that he doesn’t have any ill will towards the company. “I give them compliments for that because it shows that they can patch things quickly.  I’d love to have my page back, but I don’t blame them.”

At the end of the interview, Deacon said that he would gladly help MySpace in exchange for reinstating his profile page.  He apologizes profusely for disclosing the attack and summed everything up by saying, “Tell them I’m sorry.”