Not everything on MySpace, however, was completely customizable. Users could only upload 12 photos, for example. Was there a way around that? Kamkar he started hacking around, trying to see if he could trick MySpace to do stuff the site wasn't supposed to let users do. He soon found a way and uploaded 13 photos. Users also had only a few choices when it came to the "relationship" field.
There was a dropdown menu with standard options: married, single, in a relationship, and a few more. Kamkar, who at the time had a girlfriend, wanted to be able to select "in a hot relationship.
For the following week, Kamkar worked on a script that would be invisible to any other user, and would force everyone who visited his profile to add him as a friend. The script would also add a line to the person's profile, under the "my heroes" category: "but most of all, Samy is my hero. No big deal. The next morning, he woke up and had friend requests. That's when he "freaked out" because the worm was spreading faster than he thought. One hour later, the requests doubled, and then kept increasing exponentially.
At that point, Kamkar says he emailed MySpace anonymously, alerting them of the worm, and a way to stop it, but he never heard back, and still today, he has "no idea" if anyone actually saw that email.
People are messaging me saying they've reported me for 'hacking' them due to my name being in their 'heroes' list," Kamkar wrote in a blog post he published that night, recounting what had happened. I rule. A few hours later, Kamkar went for a burrito at Chipotle and then went home to check his MySpace profile again.
At that point he had almost a million friend requests. The number climbed up to over a million, just a few minutes before MySpace went down. The company had to take the site offline to figure out what was going on and purge the worm. I felt really bad," Kamkar tells me. But there was nothing he could have done at that point—once he released the worm it was already too late, given that it spread all by itself.
After around two hours the site went back up. His profile had been deleted. Kunal Anand, who became director of security at Myspace a couple of months after the incident, says that at the time the Samy worm hit, the company had "almost no security team," and "had no idea what to do.
No one had seen anything like Samy's worm. It was a "watershed moment for the industry," Anand tells me. Jeremiah Grossman, a web security expert and founder of the firm WhiteHat Security, says the Samy worm was "one of those moments that every expert in the industry was waiting for. Kamkar's worm, despite its quick spread, was ultimately harmless: all it did was get him friends and add a few words to the infected people's profiles. But if Kamkar had been a criminal, or someone with more devious intentions, he could have taken over their accounts.
As Grossman puts it, Kamkar "had the ability to do whatever he wanted. The technique that the young hacker used is known as a cross site scripting attack , often abbreviated as XSS, where an attacker injects malicious code into a website, tricking the site, and the users' browser, to execute the code.
People who knew about web security were aware that it was possible to attack most sites the way Kamkar did, according to Grossman, but but no one had taken the threat seriously until the Samy worm. We knew every site had it, but no one had really demonstrated what could you could do with it," Grossman tells me over the phone. At the time of the Samy worm, 80 to 90 percent of websites were vulnerable to similar attacks, according to Grossman. Ten years later, only 47 percent of websites are likely to have the same vulnerabilities, according to data gathered by WhiteHat's Security in Without the attention that Kamkar's worm got, perhaps it would still be a more widespread issue.
In the years to come, websites and browsers beefed up their security against cross site scripting attacks, but there were still some notable attacks. In , for example, several Yahoo users' email accounts were hijacked thanks to a similar vulnerability. And last year, hackers found a XSS bug in Tweetdeck that allowed them to force annoying popups. Earlier this year, thanks to an XSS vulnerability, it was possible to take over a WordPress blog with a single comment.
Latest Releases »». Top Research Articles »». Testimonials »». Awards »». Awards for our softwares from leading Download Sites. Comes with both GUI interface as well as Command-line version. Recover password of any length and complexity.
Automatically discovers all supported Applications and recovers all the stored passwords. MyspacePasswordDecryptor comes with Installer so that you can install it locally on your system for regular usage. It has intuitive setup wizard which guides you through series of steps in completion of installation. At any point of time, you can uninstall the product using the Uninstaller located at following location by default.
Here are the brief usage details. By default passwords are not shown for security reasons as it is sensitive data. However you can click on 'Show Password' button at the bottom to view these passwords. By default or if no extension is specified it uses the TEXT mode. For more examples refer to Screenshot 2 below.
Screenshot 1:Myspace Password Decryptor is showing the recovered Myspace account passwords for popular applications. Screenshot 2: Command line usage of MyspacePasswordDecryptor showing various examples. Version 5. Also added new Windows installer. Mega release with support for recovering Myspace passwords on new Windows 10 version. Also support for new Firefox login file 'logins. Enhanced Installer for dynamic downloading of latest version.
0コメント