Class Activity – Top Hacker Shows Us How It is Done

Objectives

Understand vulnerabilities of wireless and other common technologies

Part 1: View the TEDx Video “Top Hacker Shows Us How It’s Done; Pablos Holman at TEDxMidwests”

Part 2: Answer the following questions

Background / Scenario

Nearly every “secure” system that is used today can be vulnerable to some type of cyberattack.

Required Resources

  • PC or mobile device with internet access

Instructions

View the TEDx Video “Top Hacker Shows Us How It’s Done; Pablos Holman at TEDxMidwests”

    1. Locate the video on the internet and watch it.
    2. Choose one of the hacks discussed by Mr. Holman in the video and use your favorite search engine to conduct some additional research on the hack.
    3. For the hack chosen in Step 1b, answer the questions below. Be prepared to share your work in a full class discussion.

Answer the following questions.

Questions:

    1. What is the vulnerability being exploited? The vulnerability exploited in the “Samy is my hero” hack was a Cross-Site Scripting (XSS) vulnerability in MySpace. XSS vulnerabilities allow attackers to inject malicious scripts into web pages that are viewed by other users. In this case, MySpace failed to properly sanitize user inputs in its profile fields, which allowed Samy Kamkar to inject a piece of malicious JavaScript into his profile.
    2. What information, data, or control can be gained by a hacker exploiting this vulnerability? By exploiting this XSS vulnerability, Samy was able to gain control over other users’ profiles when they visited his MySpace profile. Specifically, the injected script automatically added Samy as a friend and updated their profile with the message “Samy is my hero,” causing the hack to propagate rapidly across the platform. While Samy didn’t steal sensitive data, he gained control over users’ friend lists and profile content.
    3. How is the hack performed? The hack was performed by embedding malicious JavaScript code into the user profile’s “About Me” section. When other MySpace users visited Samy’s profile, the script would automatically:
      • Add Samy as a friend to the visiting user’s profile.
      • Modify the user’s profile to display the text “Samy is my hero.”
      • Replicate the code onto the new victim’s profile, allowing the worm to spread to all users who visited infected profiles.
    • What about this particular hack interested you specifically?
      • What makes this hack particularly interesting is its simplicity and creativity. It didn’t exploit a deeply technical flaw, but rather relied on manipulating MySpace’s input fields. The self-replicating nature of the hack demonstrates how dangerous XSS vulnerabilities can be when they go unchecked, as one small vulnerability in a popular platform can lead to widespread chaos.
      • Additionally, it’s intriguing because of how non-malicious it was in terms of user data. It was more about showing off a clever exploit rather than stealing sensitive information, yet it ended up affecting over a million profiles in a short time.
    • How do you think this particular hack could be mitigated?
      • This hack could have been mitigated by proper input validation and output encoding on MySpace’s end.
      • Specifically:
        1. Sanitizing user inputs: MySpace should have filtered out or escaped JavaScript from profile input fields to prevent users from injecting code into their profiles.
        2. Implementing content security policies (CSPs): CSPs can restrict what kinds of content (scripts, images, etc.) can be loaded on a webpage, preventing malicious code execution.
        3. XSS protection mechanisms: Modern web applications often use frameworks that include XSS protections by default, ensuring that user-generated content is sanitized before it’s rendered on a webpage.
      • By applying these measures, MySpace could have significantly reduced the risk of an XSS attack and prevented the worm from spreading.