The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

The biggest mistake of Myspace


Myspace, the super-popular web site that your kid uses and you don’t, was once again hit by a worm, this time utilizing Macromedia Flash as its primary vector.  This was a reminder for me of just how badly Myspace has screwed up when it comes to input filtering:

  • They use a “blacklist” approach, disallowing customized markup that they know could be an issue.  How confident are you that they covered all their bases, and could anticipate future problems?  I don’t trust my own code that much, let alone theirs.
  • They allow embed HTML tags.  That means letting folks embed arbitrary content that utilizes plugins, like… Flash. While Myspace filters Javascript, they seem to have forgotten that Flash has Javascript interaction and DOM manipulation capabilities.  If you’re a Myspace user, you may have noticed Javascript alert()-style pop-up windows appearing on some profiles—those are generated by embedding an offsite Flash program into a profile, which then generates Javascript code.

Even if they can plug these holes, it’s unlikely that anything short of a full rewrite/refactorization of their profile customization system can ever be considered moderately secure.

So will Myspace get their act together and modify their input filtering approaches? Very unlikely.  A large portion of Myspace’s appeal relies upon the customization techniques that allow users to decorate their pages with all manner of obnoxious flashing, glittery animations and videos.  Millions of users use cobbled-together hacks to twist their profiles into something fancier than the default, and a substantial cottage industry has sprung up around the subject.  Doing proper input filtering means undoing much of that.

Even if relatively secure equivalent techniques are offered, Myspace would certainly find themselves with a disgruntled user base that’s more likely to bail to a competitor.  That’s an incredibly risky move in the social networking market, and will likely lead Myspace to continue plugging holes rather than building a dam that works.

This is why you can’t design web applications with security as an afterthought.  Myspace has, and I think it will prove to be their biggest mistake.


Posted by Myspace State » Archives » The biggest
on Sunday, July 23, 2006 at 08:38 PM

[...] Original post by Ed Finkler and software by Elliott Back [...]

Posted by My Hot or Not
on Monday, August 21, 2006 at 06:26 PM

MySpace is only the first of many sites that will be hit by similar attacks. MySpace has a few other holes which can be combined to unleash yet another worm similar to the previous ones.

Posted by The biggest mistake of Myspace of Myspace Html Cod
on Saturday, September 23, 2006 at 07:53 AM

[...] Original post by unknown for Myspace News The biggest mistake of Myspace [...]

Posted by ady
on Friday, March 23, 2007 at 02:34 AM

When you say that allowing flash is a big mistake on part of myspace, you are discounting the fact that macromedia flash animations are a part of daily life for 99% of the internet users. We must understand that it is people with bad intentions who harm rather than technologies.

Posted by Ed Finkler
on Friday, March 23, 2007 at 03:54 AM

Actually, the problem is not Flash inherently, but allowing *abritrary* embedding of plugin content.  Compare Myspace’s approach with that of Livejournal, which only allows video embedding from a handful of trusted sites.

And actually, given a world where people with bad intentions *always* exist, insecure technologies and those who make them certainly are harmful.

Leave a comment

Commenting is not available in this section entry.