Tuesday, January 30, 2007

MySpace doesn't understand browsers (RCSR info)

You know what I hate? Advisories without enough info to verify a bug or PoC code. For example: http://www.info-svc.com/news/01-29-2007/myspace/ provides no information to anyone about what the nature of the issue is, or anything, it just says there is an issue, and of course once they do disclose something there is no proof that they did actually find something. And even more than that; I honestly don't care about people declaring that they've found security issues without giving specifics.

Anyway, I thought I'd go have a look myself, and here is a little snippet which works in both IE and Firefox;

<input type_="password" type=`password`>

Whether this is what Chapin Information Services found is unclear since they didn't release anything, but what is clear is that MySpace clearly understand the Non-Digit-Non-Alpha issue extends to all attributes, nor do they seem to understand that IE also allows grave accents (`) to be used instead of (single or double) quotes.

I really don't understand how many times they need to fix these issues before they begin to understand them.


Kishor said...

If you have not already looked at this,

I could get a feel of what the issue is, by looking at this link.

kuza55 said...

Oh no, I understand what the issue is, what I was talking about is the fact that MySpace had 'fixed' the issue last year, and now blocks type=password type='password' and type="password" and so people who had examined the filter had thought the issue fixed.

Yesterday they published this article: http://www.info-svc.com/news/01-29-2007/myspace/ saying that MySpace hadn't completely fixed the issue, but they didn't provide any details about what MySpace was not blocking.

And so it was not possible to actually verify the existence of the holes they were talking about, other than by finding them myself. And even if it only took me 2 minutes to verify it wasn't fixed, it could probably take other people a bit longer, and hence wastes everyone's time.

Kishor said...

Ok. Now I understand what you are saying.

But isn't it better not to disclose it until they completely fix it?

kuza55 said...

Probably, but it still annoys me.

I just think its a completely useless piece of news because other than generating hype/paranoia which doesn't really help anything, it discloses no information, it gives users no recomendations (such as turning off or disabling or removing passwords from the password manager), and provides other people who may have thought MySpace's fix adequate with no example attack/defence so that they can improve their own code.

But then again, I think that if vendors screw up and write insecure software (and yes it is a screw up on the vendor's part), then that's their fault, and they don't deserve special any special treatment in being told about vulnerabilities.