you're reading...
Source Code

Mass Social Network Ease of Use Vulnerability: Pt 4 MySpace

Disclosure of usernames has long been considered a security vulnerability of equal importance as a password. Security experts recommend avoiding the use of admin and root as usernames, and we can even see that practice taken to heart with leaks like Gawker. Administrators and users especially consider the password the only part that of the login process that is sensitive.

Hackers on the other hand know that the username is often the most difficult part of the equation to locate. As most sites now allow for you to use either a username or password to login to a site, it is a major coup when that information can be readily handed to you. Why is this information available? Well, for convenience of the user of course! User can’t remember their own email addresses anymore, blatantly violating TOS when they register multiple accounts with service providers.

While working with some social graphing code that was becoming TMTO intensive, I decided to thin the herd with some pre-processing. Why do I need to try to locate the profile that belongs to the email address, when I am not even sure the email address even has an account on the system.

private static bool hasMyspace(string search)
            webClient = new CookieAwareWebClient();
            string responseHTML = webClient.DownloadString("https://www.myspace.com");
            System.Collections.Specialized.NameValueCollection formData = new System.Collections.Specialized.NameValueCollection();
            formData["email"] = search;
            formData["tbxEmail"] = search;
            byte[] responseBytes;
            responseBytes = webClient.UploadValues("https://www.myspace.com/Modules/PageEditor/Handlers/Signup/ValidateEmail.ashx", "POST", formData);
                goto retry;
            if (responseBytes.Length < 1) goto retry;
            responseHTML = System.Text.Encoding.UTF8.GetString(responseBytes);
            if (responseHTML.Contains("Already used, try another email address"))
                return true;
            return false;

Sites with similar issues:


About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: