Okay, so I read the OP and figured "what the hell, I'll see if this is something really obvious.".

So, I went to MySpace (for the first time in my life, I believe), created an account and started toying with my profile under Internet Explorer.

Well, it took me 1 minute to find a vulnerability that allowed me to run arbitrary javascript under IE. Basically, the first thing I've tried worked liked a charm. I don't know if I found the same vulnerability as CGames (mine works only on IE, while I'm under the impression that his is cross-browser), but honestly, the thing is riddled with holes.

I'm just wondering why nobody bothered to hack it yet. I mean, there is quite a lot of cred (in some places, at least) to be earned by tampering with a site that has a zillion users. And it seems so simple it hurts.

Well, perhaps people have hacked it and have been using it silently for their malicious purposes for years now.

It makes me wonder though - can't MySpace afford some good programmers who could write them a less-vulnerable site? The vulnerability I exploited was the first thing I would think of when patching up XSS holes, anyone competent should've thought of it too...

I think there is an ego thing... Also there's a lot of money to be made a web-cam-whore, or advertiser ... most hackers are probably making $$ with their accounts; though I've even seen some pages that come up after I look to see who friend requested me, and it says that it's an adult profile and that I need to download and install some exe to see it, haha (it's obvious that it's just an opaque frame on top of their profile using absolute positioning that they added...)

Also, I've seen profiles that have javascript effects like the annoying floating stars, etc... so it's obvious that it's possible.

I feel left out for not being a 1337 js hacker...

you can embed flash with either the embed or the object tag (only one of the two works and I forget which one)

They probably get enough reports each day that they don't bother checking them anyway. All it takes to make ordinary people feel that their issue is being addressed is a polite mailing bot...

I would write a JS virus that removes all friends and deletes all the profile info (except for the virus code). That would be cool.

I love that one! I had to log in to get my URL.


http://www.myspace.com/55864621

Poor Josiah Homer has no friends. But is he in your extended network? That's special!

I had 7 spams in the inbox and 1 invite request from some random girl (who appeared to be legit) living in a different state. The intarwebs are so cool.

Woohoo, I have JS on my page.

Check it out with IE ... it's actually immune!

~

I have a great idea. I need to make a zombie network with the virus. Such that it loads the JS code from my profile via a remote XMLHttpRequest. (That way I can have it run arbitrary code.) Wait until every myspace profile is infected with the virus (by a harmless invisible div) and then on doomsday, unleash the payload (ie, delete everyone's content).

Disclaimer: This is just educational. Don't try this at home. (Unless you live in Russia.)

I love their feeble attempts at security.

eval(document.getElementById('foo').innerHTML)

gets translated to:

...document.getElementById('foo')...)

They are security experts! But wait...

window['ev' + 'al'](document.getElementById('foo')['inner'+'HTML']);

(edit: updated for correctness)

How do you inject the javascript itself, doesn't it filter <script> tags?

[edit]
Or do you use some type of onload tag?

I had to try to load that page several times. I kept getting this:

{"name":"591183","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/0\/3\/03c83d3d887b8ba6f16288f0957599d6.png","w":1200,"h":900,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/0\/3\/03c83d3d887b8ba6f16288f0957599d6"}

I don't think it really reports the error. Notice the URL. Refresh the page. There is no post data, there is no error data to report. You can paste that URL into a new browser session and get the same 'reported the error' message.

I'm surprised that myspace is as horribly coded as it is. I knew it was bad, but I didn't know how bad until I looked at the source. The horrid HTML, nested tables, and messiness of it all makes me want to gouge my eyes out.

I think Myspace was the product of a bunch of monkeys locked in a room. Eventually, given enough monkeys and time, they will reproduce Shakespeare. If they could reproduce Shakespeare, it couldn't take very long at all for those monkeys to produce MySpace.

Well, if it were RFC compliant, it would give that error page with a 500 reply, and not redirect at all.