Myspace profile trackers – not only a privacy leakage!

When writing about the stalkertrack myspace tracker scam I didn’t speak about the service in itself, as users are promised access to it, but will never ever receive it from stalkertrack.com. But the whole issue of profile trackers at Myspace is indeed interesting and worth an extra post. At the Washington Post Security Fix Brian Krebs covered that a few months ago, but only gave a vague idea about the technical details and possibilities on myspace.

There are two different kind of myspace tracking services out there. Those who go with the Myspace TOS and those who don’t. The legitimate services (like profilesnitch.com) can only show the data that every homepage owner can gather from his visitors: the visitors location (via ip), time, operating system, etc. The latter ones can show you the profile nickname, picture and even the registered email address of every myspace user visiting your profile on top! This surely is a serious privacy leakage that myspace needs to fix permanently. The illegitimate services are only stopped from working, as Myspace manually deactivates them, as their hide-and-seek continues. Using custom hosted scripts (available via ebay (1, 2) and other scripts that are not publicly sold like “Project Tenyer” the script used by stalkertrack.com, you can circumvent this limitation and host the scripts yourself.
These javascripts read the email address and all Myspace IDs the user was ever logged in on the same PC and grabs the profile picture, name, and URL from home.myspace.com/index.cfm?fuseaction=user (which is where the myspace user’s main panel is) where they can edit their profile, etc. The information contained in the cookie alone is sufficient that the tracker user can get the full user privileges for for the length of the active session (that lasts 6 hours). He is only stopped from changing email address or password by myspace security routines.

As long as all authentication cookies and user-maintenanced pages are hosted on the same domain it is very hard if not impossible to fight trackers and other cross-site-scripting attacks on myspace. There’s a good reason why intelligent companies like Google keep it’s users homepages out of reach of the google.com domain, but gives them googlepages.com URLs and social networks like flickr disallow any kind of active user-content to be included into user pages. It is now Myspace’s task to restructure it’s architecture to a safe environment for all surfers. This plus the fact that Myspace saves a unneccessary high amount of data in it’s cookies make such trackers so easy to realize.

39 Responses to “Myspace profile trackers – not only a privacy leakage!

Leave a Reply

Your email address will not be published. Required fields are marked *