When writing about the stalkertrack myspace tracker scam I didn’t speak about the service in itself, as users are promised access to it, but will never ever receive it from stalkertrack.com. But the whole issue of profile trackers at Myspace is indeed interesting and worth an extra post. At the Washington Post Security Fix Brian Krebs covered that a few months ago, but only gave a vague idea about the technical details and possibilities on myspace.
There are two different kind of myspace tracking services out there. Those who go with the Myspace TOS and those who don’t. The legitimate services (like profilesnitch.com) can only show the data that every homepage owner can gather from his visitors: the visitors location (via ip), time, operating system, etc. The latter ones can show you the profile nickname, picture and even the registered email address of every myspace user visiting your profile on top! This surely is a serious privacy leakage that myspace needs to fix permanently. The illegitimate services are only stopped from working, as Myspace manually deactivates them, as their hide-and-seek continues. Using custom hosted scripts (available via ebay (1, 2) and other scripts that are not publicly sold like “Project Tenyer” the script used by stalkertrack.com, you can circumvent this limitation and host the scripts yourself.
As long as all authentication cookies and user-maintenanced pages are hosted on the same domain it is very hard if not impossible to fight trackers and other cross-site-scripting attacks on myspace. There’s a good reason why intelligent companies like Google keep it’s users homepages out of reach of the google.com domain, but gives them googlepages.com URLs and social networks like flickr disallow any kind of active user-content to be included into user pages. It is now Myspace’s task to restructure it’s architecture to a safe environment for all surfers. This plus the fact that Myspace saves a unneccessary high amount of data in it’s cookies make such trackers so easy to realize.