I was thinking to myself what a wonderful world, then I woke up. Afterwards I thought this up.

Okay, suppose you have a social networking site called http://www.friends.com. Now suppose this site, when you login, stores your PHP session ID as a get variable, i.e.

http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
Now, (yes another hypothetical) suppose I posted a link on my profile to my external site http://www.mysitezor.com. When the other users of the site click it they will be taken to my site. I will have a nice little log file showing refferer information. So, later, shouldn't I be able to go to my log file and see their refferer information, right? It should look like this (psuedo).

IP - 6*.***.66.***
Hostname - <insert random hostname here>
Refferer - http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0

Since the SESSID was stored as a GET var, it shows up right? So shouldn't I be able to login to my Friends.com account and change my cookie's SESSID value to the one that I got from the refferer information, thereby hijacking the victim's session?

Just a theory, feedback would be nice.

did you try it moonbat? supposing alone wont get you anywhere. try it and tell us/:D

Websites mostly use cookies to authenticate users, and PHP sessions simply to ***** users' actions on the site regardless of their login status.

Of course all sites are different, but it would be very dangerous to use PHP sessions as a basis for authentication when the referrer can be logged by any site they click a link to, thus compromising their account.

You'd need a user's cookie(s) to hijack their account, as far as I've seen.

By the way, I moved this to Internet Privacy.

I have yet to find any site that is vulnerable to this sort of attack, so until further notice this theory is busted. :(

i thought you pro guys, like make websites for experimentation. :confused:

no body will care if you deface / hack your website....i guess.

make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website? :)

make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website? :)

Not difficult really, but I don't have the time at the moment for any more projects.

i thought you pro guys, like make websites for experimentation. :confused:

no body will care if you deface / hack your website....i guess.

make a web which is vulnerable and ..... or is it difficult too compose a vulnerable website? :)

Well, I was thinking up this theory based on the assumption that after normal user/passwrod authentication, the server only authenticated you based on the SESSID.

I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.

I have some other things on my e-plate I need to start and/or finish, so this theory will have to take a backseat to them.

I'm gonna have to steal the phrase "e-plate" from you.

kthx.

You're welcome :D

Hi guys - I know your probably already rolling your eyes as soon as you seen the title of this message. I was searching the internet for ways to hack a users myspace page - when I mean hack - I mean I want to see who the no-good bastard is cheating on me with. I know a tad about code - went to school for programming over 7 years ago - switched major to design (don't hate me) so I'm:eek: a little rusty. Anyway when I did a search - it brought me to you - so here I am. I read a few of your posts on the subject - did you ever figure out if it is doable?

As of now MySpace has no security vulnerabilities that we know of.

Hi guys - I know your probably already rolling your eyes as soon as you seen the title of this message.

:rolleyes:
:rolleyes:
:rolleyes:

Yeah.

Usually, the easiest (and most effort-free) way to gain access to any web account is phishing, but this isn't really relevant to the current thread.

Usually, the easiest (and most effort-free) way to gain access to any web account is phishing, but this isn't really relevant to the current thread.

Is anything ever relavent to the current thread? :rolleyes:

Is anything ever relavent to the current thread? :rolleyes:

Not usually, but we allow thread-hijackings if they turn a boring thread into an interesting one.

Otherwise, we enforce the rules like the hypocrites we are.

pretty much a no-go. And either I did not pay attention in school or I just forgot everything I learned because half of what you posted was over my head. :o
So I guess my next question is. I recently put spyware on my page to see who is checking my profile out - problem is it can only give me an IP address. Is there a way to somehow do a reverse look-up on an IP address to get either a name or an email address?

Most IP's assigned by ISPs are dynamic, i.e. they will change. For privacy and managability reasons, no records (that I know of) are kept of what IP addresses match up to who and where they live.

I'm sure the proper authorities (FBI, CIA, etc.) have some kind of leet hax that let them ***** Internet vandals so easily, but such technology has yet to fall into my hands.

I'm sure the proper authorities (FBI, CIA, etc.) have some kind of leet hax that let them ***** Internet vandals so easily, but such technology has yet to fall into my hands.

Yeah; it goes like this:



FBI: *Calls ISP.*
ISP: "Hello, can I help you?"
FBI: "FBI here, lol. Give me all the subscriber info of X person; identified by their IP address (xxx.xxx.xxx.xxx) being used at hh:mm:ss dd/mm/yy."
ISP: "Sure; you absolutely don't need a warrant for things like this. Their address is..."
FBI: "Thanks."
ISP: *Hangs up.*

I'm gonna try that soon :D

I dunno if my ISP is insecure like that, but it probably is.

Uh, the "you absolutely don't need a warrant for things like this" part was kind of sarcastic ;)...

Well, it didn't work anyway, they kept asking me to meet them in person. :(

Well, it didn't work anyway, they kept asking me to meet them in person. :(

What, it's that simple? All they need to release subscriber info is a bullshit meeting with fake FBI-agents?

All you'd need is some fake clothing from an online-store like this, for example:

http://www.army-surplus.co.uk/

WIth that, you'd need a very basic fake-ID.

It's very possible -- people usually obey those in authoritative clothing.

I'm only *6, but in a couple of years I imagine I could pull this off (or ask an older person to do this for me now).

What, it's that simple? All they need to release subscriber info is a bullshit meeting with fake FBI-agents?

All you'd need is some fake clothing from an online-store like this, for example:

http://www.army-surplus.co.uk/

WIth that, you'd need a very basic fake-ID.

It's very possible -- people usually obey those in authoritative clothing.

I'm only *6, but in a couple of years I imagine I could pull this off (or ask an older person to do this for me now).

I doubt it'd be that simple. After them saying the whole "lets meet in person" thing, I just said some stuff about having the get authorization from my supervisors to meet with them.

I'm sure though, that they would ask me to give documents and crap, which I can't fake, because I don't know what they look like :p

I doubt it'd be that simple. After them saying the whole "lets meet in person" thing, I just said some stuff about having the get authorization from my supervisors to meet with them.

I'm sure though, that they would ask me to give documents and crap, which I can't fake, because I don't know what they look like :p

Hmm...

I'm not sure on this, but I think when dressed in authoritative clothing and when dealing with corporate-robots, it is definitely a possibility.

Never underestimate the power of human curiosity. They will poke and pry until all of their internal security checks are met. Only then will they spill the beans.

Often times with senior citizens, taking the authoritative approach makes them apprehensive and can ruin a SE opprotunity.