Last week, I heard rumblings of an “interesting” screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.
As you might have guessed, the screenshot involved Myspace. What’s worrying here is what the contents of the screenshot could mean, and the total and utter shambles of a response I’ve had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there’s always one question that keeps popping up, and it usually always draws a blank.
“Anyone got a contact for Myspace”?
Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when the following screenshot came my way, my eyes started to roll and didn’t stop for three whole days (obviously, I’ve done a bit of editing to this screenshot):
…eep. Now, I have no clue what we’re looking at here but it doesn’t sound very good given that this was supposedly popping up on various underground forums.
“Domain Account Administrator, Myspace”
“CSR-Tools”
“Account: Retail”
“Billing Information”.
These are just some of the items contained in the screenshot. Besides that, there’s a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.
Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.
I tried again this week, and this is what I sent them:
hello, my name is chris boyd, director of malware researchfor facetime security labs. This is the second time I havesent this through, with no reply so far. A few days ago,someone pointed me in the direction of a screenshot a fewpeople had heard about (screenie URL goes here). The screenshot appears to indicate your main CSR accounttools system was compromised in some way - can you confirmwhat has happened here? I will be writing about this lateron today on my blog and would prefer to have the fulldetails as to the extent of what has (or has not!) happened here. Thanks,Chris
Can you guess what I got back?
Hello, Below is a pretty comprehensive overview on blogs presented in an FAQ format. It should answer all the questions you have about blogs. Q: What is a blog? A: A ‘blog’ is an online journal. Blog is short for Weblog. In recent years, ‘blogging’ or posting an online journal has become very popular.
…..yes, thanks for the handy blogging tips. Auto-reply ftl.
I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):
Hello,
Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it’s a significant problem, we’re probably already aware of it and are currently working to resolve it. Please be patient.
……wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn’t really solve anything, does it?
I’ve resent yet again with a little note asking if anyone there actually bothers to read anything they’re sent, but I’m not getting my hopes up. I’d like to think the above screenshot doesn’t represent anything serious, but would someone bother posting something like that to websites if they didn’t think it was a big deal in the first place? I mean, call me paranoid, but I’m not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?
Little help, Myspace?
/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it’s the best one yet:
I sent Myspace this:
“Is anyone there actually reading what I’m sending you? I’m telling you that you appear to have been compromised, potentially quite badly. And you’re sending me another reply that doesn’t help and tells me to “try to access the page again in a minute or so”?! I guess that would be useful if I was the one doing the compromising, but this isn’t really much use to me, is it?”
Let me repost my message for a third time”
This is what I got back:
“Hello,
We do not offer that option as it is not available within MySpace.”
….I think my brain hurts.
…more
March 25th, 2008 at 12:02 pm
More information on Low fat diet food.
April 4th, 2008 at 12:01 pm
Looking for live X - Rated Shemale cums Sample movies Clips? Enter here!.