[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] MySpace - Stupid user security advice that they do not follow

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] MySpace - Stupid user security advice that they do not follow
From: Dan B <dan-fd@xxxxxxxxx>
Date: Sat, 24 Jun 2006 13:57:41 +0200

Hi,
So I was just looking at myspace, hey I don't really want an account,
just needed to login to look at someones pics. And I noticed that even
though they advise to check for 'login.myspace.com' in the address bar
they actually allow login via other subdomains... www1. is the only one
i noticed. But come on guys if you advise your users to check for a
certain url, then also have a login form on a different url then what is
the fscking point of the advice! I know its still a subdomain of
myspace.com but its not the one you are referring to, gets the user used
to not checking the url 'cause it ain't correct in the first place!

I've attached a jpg illustrating.

Cheers,
DanBUK.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] MySpace - Stupid user security advice that they do not follow
  - From: Robert Waters

Prev by Date: [Full-disclosure] Mr. Kletneiks
Next by Date: Re: [Full-disclosure] Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities
Previous by thread: [Full-disclosure] [MU-200606-01] Real Helix RTSP Server Heap Corruption Vulnerabilities - Updated
Next by thread: Re: [Full-disclosure] MySpace - Stupid user security advice that they do not follow
Index(es):
- Date
- Thread