created 2025-06-06, & modified, =this.modified
rel: Improvement to social media Myspace Customizable Web Censorship
Design
Myspace was one of the most popular sites of the 2000s decade. It faced criticism, and a massive redesign in 2012 after the mass exodus of original users.
The majority of myspace users were amateur with little HTML experience. This resulted in a large proportion of the pages not satisfying the constraints for valid HTML or CSS. This caused effects like accessibility problems for screen readers.
Poorly constructed pages could freeze webpages due to malformed CSS coding, or embedding high bandwidth objects like videos, graphics and flash. Myspace would block code like JavaScript from pages but users found ways to insert code.
From the PC World article in 2006:
But let’s put all that aside for a moment. Graphically, many MySpace pages look like a teenager’s bedroom after a tornado—a swirl of clashing backgrounds, boxes stacked inside other boxes, massive photos, and sonic disturbance. Try loading a few of those pages at once and watch what happens to your CPU. Watch out for spyware, too, since it turns out that MySpace has become a popular distribution vector for drive-by downloads and other exploits. And in a place where “U are soooooooo hot!!!” passes for wit, MySpace isn’t doing much to elevate the level of social discourse.
Data Loss
The site had three major data loss events: the remove of users’ fans in 2013, the remove of user blogs and private messages and videos in June of that year, and the loss of all music uploaded before 2016. Myspace developers initially tried to fix the problem but were unable to (it was speculated the data was deliberated deleted for economic reasons, but made to look accidental.)
Security
In October 2005 Myspace’s site design was exploited by Samy the first self-propagating cross-site scripting (XSS) worm. The customization of user pages allows the injection of HTML which can be crafted to form a phishing user profile, while still keeping Myspace.com as the address.
Users find their Myspace homepage with bulletins they did not post, realizing later they had been phished. The bulletin consists of an advertisement that provides a link to a fake login screen, tricking people into typing in their Myspace e-mail and password.
Myspace later made changes that all external links would be redirected through their links site with a hash. Myspace staffers would be able to disable dangerous links. They later put up a web gate that would alert they were leaving the site.
On January 26, 2008, over 567,000 private Myspace user pictures were downloaded from the site by using a bug published on YouTube and put on the Piratebay torrent site for download.
Myspace Party Problems
A party hosted by Corey Worthington, a sixteen-year-old boy from Narre Warren in Melbourne, Australia, and advertised on MySpace, attracted 500 people. Police cars were attacked, and the dog squad and a helicopter were called in. The incident received international coverage. (Worthington subsequently found work as a party promoter, and appeared on the Ten Network’s Australian version of Big Brother.) The Sydney Morning Herald’s online technology writer, Asher Moses, has noted that MySpace/Facebook parties are particularly prone to gatecrashing because news of events can spread to uninvited guests via “newsfeeds.” He suspects some party hosts are oblivious to the actual number of people who get the message.
Social and Cultural
Myspace was referred to as “cybercrack”. It gives people access to a member’s life, without giving the time needed to maintain such relationships and that such relationships do not possess the depth of in-person relationships.
Samy
Also know as JS.Spacehero designed to propagate across Myspace. Within 20 hours of October 4th 2005 over one million users had runt he payload.
It was mostly harmless, carrying a payload that would display the string “but most of all, samy is my hero” on the users’ profile.
Samy Kamkar, the author of the worm, was raided by the United States Secret Service and the Electronic Crimes Task force for releasing the worm. He was sentenced to three years’ probation with only one remotely-monitored computer and no access to the internet for life (later struck off by a judge) and 90 days’ community service, and 100,000K restitution.
I’m scanning the technical document. It’s basically a lot of workarounds to find the gaps where the exploit could be ran.
Myspace blocks tags. They only allow use of a, img, div and a few others. They don’t allow scripts or body’s however some browsers allow javascript within CSS tags.
div style="background:url('javascript:alert(1)')
They use an expression to store the JS and execute it by name because they had used up their single and double quotes.
Myspace strips out the word javascript from anywhere. To get around this they used the fact that some browsers interpret "java\nscript" as "javascript"
Myspace strips out escaped quotes, whether single or double. So they converted decimal to ASCII in JS to produce quotes.
div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java
script:eval(document.all.mycode.expr)')"
They need the profile information from innerHTML, but this is stripped by myspace. To get around this they eval and concat.
alert(eval('document.body.inne' + 'rHTML'));
They perform a GET on the user’s profile to get a list of their heroes and append Samy. Then with workaround POST with a random hash to the location.
There were a few other complications and things to get around. This was not by any means a straight forward process, and none of this was meant to cause any damage or piss anyone off. This was in the interest of..interest. It was interesting and fun!
Thought
There’s a comment box on Samy’s page from 2006 to current day and it’s somewhat interesting. People still comment, some looking for myspace hacks and trying to XSS into his comment.
Could you do me a super quick favor? O_O .. Can you get me a password?! XD haha.. I have something I would like to dig up on my boyfriends old myspace.
Honestly, looking through Myspace is one of the weirder things on the web. It’s like a husk with empty, broken spaces.
If anybody needs access to a person’s MySpace, I’m your guy.
Done it quite a few times, and I’ve honed it into a skill that I can do very quickly and effeciently.
As a poster above me said, it does require access to both accounts. That is true.
