QUOTE
A new hacker research project could put businesses that use social-networking sites to advertise their products and services at risk. Continuing the "month of bugs" trend that has plagued the likes of Microsoft and Apple, two hackers calling themselves Mondo Armando and Müstaschio have launched a month of MySpace bugs project that aims to disclose vulnerabilities in the News Corp. property each day during the month of April.
"The purpose of the exercise is not so much to expose MySpace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular Web sites populated by users of various levels of sophistication," the hackers wrote on the project's blog.
Inciting a Riot?
The project is officially dubbed "Month of MySpace Bugs, Yuss!" (MOMBY) and is calling for MySpace users to send in info on unfixed bugs they reported to site administrators. The project could have just as easily targeted Google, Yahoo, or MSN, the hackers added, but the duo decided it would be more fun to reveal flaws in the most popular online social-networking site.
Armando and Müstaschio are also calling for fellow hackers to share proof of concepts that can be clearly demonstrated using a dummy MySpace account. The duo is offering to give credit where credit is due to folks who contribute to their project.
"While heap overflows and format strings and integer wraps are great and everything, we don't intend to have too many 'real' bugs," the duo wrote. That might be of some comfort to News Corp., which could not immediately be reached for comment on the announcement. The MOMBY blog indicated that browser bugs, Flash bugs, QuickTime bugs, or other third-party bugs are prime candidates for publication.
"If MOMBY ends up being just as lame as the Month of Apple Bugs, then we haven't really missed the mark," the duo wrote. "If it's funnier, then great. If it kills this Month of Whatever fad, then hurray for everyone, it's over."
Escalating Trend
Analysts, however, do not expect MOMBY to kill the trend. Security expert HD Moore is largely credited with bringing notoriety to the month of bugs concept with his Month of Browser Bugs that revealed a browser flaw each day in July 2006. Others followed, including the Month of Kernel Bugs and the Month of PHP Bugs.
"The press garnered from month of bugs projects is substantial, and as we saw in the Month of Apple Bugs, targets can be very responsive to fixing bugs," said Fred Doyle, an analyst at VeriSign's iDefense. "We can expect the month of bugs trend to continue and even escalate to a degree."
Doyle said he doesn't expect widespread fallout from the bugs. However, he added, there is no reason why we couldn't see a repeat performance of the attention last year's MySpace worm generated in security circles. The sheer number of MySpace users almost guarantees some level of impact, he said.
He also pointed out that businesses are not immune. "Businesses are increasingly getting on MySpace to sell their products," Doyle noted. "To the degree that businesses interact with MySpace, it would represent a threat to businesses as well. A lot of it depends on what bugs they find and how quickly somebody could take advantage of those bugs."
When we asked what they expected to find with the project, the hackers responded by e-mail: "A lot of really terribly designed MySpace content, exploitable via minor-to-mildly-complicated methods."
"The purpose of the exercise is not so much to expose MySpace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular Web sites populated by users of various levels of sophistication," the hackers wrote on the project's blog.
Inciting a Riot?
The project is officially dubbed "Month of MySpace Bugs, Yuss!" (MOMBY) and is calling for MySpace users to send in info on unfixed bugs they reported to site administrators. The project could have just as easily targeted Google, Yahoo, or MSN, the hackers added, but the duo decided it would be more fun to reveal flaws in the most popular online social-networking site.
Armando and Müstaschio are also calling for fellow hackers to share proof of concepts that can be clearly demonstrated using a dummy MySpace account. The duo is offering to give credit where credit is due to folks who contribute to their project.
"While heap overflows and format strings and integer wraps are great and everything, we don't intend to have too many 'real' bugs," the duo wrote. That might be of some comfort to News Corp., which could not immediately be reached for comment on the announcement. The MOMBY blog indicated that browser bugs, Flash bugs, QuickTime bugs, or other third-party bugs are prime candidates for publication.
"If MOMBY ends up being just as lame as the Month of Apple Bugs, then we haven't really missed the mark," the duo wrote. "If it's funnier, then great. If it kills this Month of Whatever fad, then hurray for everyone, it's over."
Escalating Trend
Analysts, however, do not expect MOMBY to kill the trend. Security expert HD Moore is largely credited with bringing notoriety to the month of bugs concept with his Month of Browser Bugs that revealed a browser flaw each day in July 2006. Others followed, including the Month of Kernel Bugs and the Month of PHP Bugs.
"The press garnered from month of bugs projects is substantial, and as we saw in the Month of Apple Bugs, targets can be very responsive to fixing bugs," said Fred Doyle, an analyst at VeriSign's iDefense. "We can expect the month of bugs trend to continue and even escalate to a degree."
Doyle said he doesn't expect widespread fallout from the bugs. However, he added, there is no reason why we couldn't see a repeat performance of the attention last year's MySpace worm generated in security circles. The sheer number of MySpace users almost guarantees some level of impact, he said.
He also pointed out that businesses are not immune. "Businesses are increasingly getting on MySpace to sell their products," Doyle noted. "To the degree that businesses interact with MySpace, it would represent a threat to businesses as well. A lot of it depends on what bugs they find and how quickly somebody could take advantage of those bugs."
When we asked what they expected to find with the project, the hackers responded by e-mail: "A lot of really terribly designed MySpace content, exploitable via minor-to-mildly-complicated methods."
Hahaha, I wonder what they are going to find. Could be quite scandalous if its something huge
