Is your API exposed or are you just happy to see me?

Here’s something we knew ever since we implemented DLL Fuzzing in beSTORM: when you give direct API access you are likely to expose some serious weaknesses.

Those weaknesses can lead to Paris Hilton being exposed, if you know what I mean. Actually, I mean that literally: a myspace API given to Yahoo! exposes the private profiles of Paris Hilton and Lindsay Lohan. Some people will consider that a better find than overwriting the EIP.
Here’s the howto, courtesy of Byron Ng:

1. you’ll need a Yahoo account. go to www.yahoomail.com and create a yahoo account if you don’t have one already. and you will need to go to www.myspace.com to sign up for a myspace account first, if you don’t have one already.

2.go to http://beta.m.yahoo.com/w/gallery/widget click on the ‘mail’ button under “sign in to yahoo!”

3. click on ‘click here to sign in’

4. enter your yahoo id, yahoo password

5. then on the top of the screen in the white box, enter: myspace then click Search Widgets Gallery

6. you will see a green box in the middle with the word ‘myspace’ in there.

7. click the green myspace.

8. see in the middle of the screen it says “add it” – click that.

9. click yes when it asks you about sharing info

10. go here http://beta.m.yahoo.com/w/gallery/widget

11. enter myspace into the box. click search widgets gallery

12. click on the green myspace. now, since you have already set it up in the previous steps, it won’t ask you to download again

13. click on ‘go to widget’ (that’s right below the ‘already added it” text

14. now sign in to myspace

15. now take the URL I asked you to save above before step 1: http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 and click on it. it may ask you to sign into yahoo or my space. sign in as appropriate. now you should be able to see the person’s pictures. if you can only see your own profile, then click on it again http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 then it will work.

The moral of the story: Check you API, and check it well. If you don’t, others will…

Share
  • Alicia

    I can’t access this site….Help me

  • http://www.aolgang.com Smokey

    sorry but i believed it has been patched. i mean how long did u think it would stay open it was a simple programing flaw. which went public & im sure the media got wind of it due to paris & lohan being involved. Thanks for sharing this great example, good to use for future refrence in exploits.