Hacking MySpace Using Common Sense

by Dexterous1

Hacking MySpace using common sense is an article I decided to write after I found out that a lot of my friends and family members are on MySpace to my dismay.

I thought I would write this article to help convince people that although MySpace may be fun for some, if you're not careful with what you display, you will wind up shooting yourself in the foot.

I don't want to sound paranoid, but one reason that you ought to be cautious is that just like in the old days of the Internet in chatrooms on AOL, etc., there can be some weirdos out there, and if there is too much information on you available, they can work up a profile on you and try to coerce enough information on you to try to make a physical visit.  This could be a pedophile or a disgruntled employee or even an ex who hasn't made peace with their past.

To me MySpace is a lot like AOL in the old days with the "hometown" websites, except without chat admins.  I just want people to be cautious and not go into something blindly, especially on the Internet.  If the local media is already carrying segments on it, than many uninformed/ignorant people are already misusing the technology.

Anyway, to the hack.  There are multiple ways to hack MySpace, namely using creative cross-site scripting, convincing people to click on things that they shouldn't, and (my favorite) using common sense.  I will cover the common sense part (which is usually the hardest, but will yield the most information).

First you should choose a mark.  A mark will be the account that you wish to take over.  We will use John Doe's account as a mark.

Second, we will need to set ourselves up with a fake MySpace account.  Create a fake email address that you have access to and create a fake profile for this account.

Be creative, like, Harry Stun, lives in Boston, Massachusetts, born on (make him in the same age range as your mark) March 22, 1976.  Hint:  If a male is your mark, create a female alias, and vice versa for females.  This will usually work better on males and may be of use later.

Now that you have created the fake MySpace account, you will be able to browse and search most of the accounts on MySpace that are not locked for viewing.  If your mark is not locked for viewing, than you are that much closer to the goal.  If they are, make damn sure that your fake MySpace account is everything your mark would be looking for in a friend, hence using the opposite sex for bait.

As a side note: If you just want to completely eliminate a person's MySpace account, a little social engineering is involved.  I will not go into this since it is covered here: www.howtoprimers.com/myspacesafetytips/safetyTip50.shtml under Email Request for Account Deletion.  Just pose as an irate parent irritated by your child who has been making a fool of themselves on the Internet.

Assuming, like most, that the mark's account is not locked, then you will need to make note of everything that you see.  Your goal at this point is to establish a profile as close as you can from their MySpace account that answers the following points:

1. Check all the messages that people leave for the person to figure out when their birthday is.
2. At the top you will see their age and where they currently reside.  If you see someone who left them a birthday message, you can use basic math to find what when they were born (i.e., if John Doe is 25 years old and "sweetnjuicy" wished him a happy birthday on June 2, then you know that he was most likely born (assuming it's 2006) in 1981, more specifically 06/02/1981).
3. At the top, remember that I mentioned where they currently reside?  Well, John Doe resides in Ithaca, New York.  Now what we need to do is find out what ZIP Codes are covered in Ithaca.  You can use any site you want, but for this exercise I will use www.zipinfo.com/search/zipcode.htm.  I see that there are five ZIP Codes to choose from: 14850-14853 and 14882.
4. Now we need their email address.  What I do is a search on Google searching all of MySpace for the person is question.  You can do [site:myspace.com +"John Doe"] or ["John Doe" email] or ["John Doe" "myspace"], etc.
5. In this example he set up a MySpace Event for a podcast three months ago with his personal email of johndoe@foobar.com.  Optionally, you can see if the person has ever posted in any forums using their real name with email address.
6. So the profile we have on John Doe is:
• Born 06/02/1981.
• Lives in Ithaca, New York, with ZIPs 14850-14853, 14882.
• Email address that was probably used to sign up with MySpace is johndoe@foobar.com.
7. The next is probably the hardest step.  Get the old pen and pad and examine in detail everything that you see in the MySpace account for John Doe.  What he does, where he goes, what his favorite color is, what his dog's name is, what his favorite sports teams are, what his favorite movie(s) are, what song he has playing on the web page, what his background for his web page is, where he grew up, where he spent most of his time, who his girlfriend/boyfriend is, what his MySpace friends say about him.  Check everything you can: pics, videos, blogs, everything.  Needless to say, this is not an exhaustive list of what to look for, but the goal is to establish such a complete profile about this person that you could've known him for years.
8. Now comes the very special part.  The regular rules apply: Don't do this, I'm not held responsible for your stupidity, yada-yada.  From what I've seen, most people have one of these email accounts: AOL Mail, Yahoo! Mail, Hotmail, Gmail.  You'll want to know what the limitations are for these accounts before they lock you out from guessing.  This really isn't the place for that and if I have time I'll write an article covering the usually unwritten security parameters that these mail services use when trying to "recover" a lost username/password.  For right now we'll use foobar.com as our ISP in this example.  By the way, you want to do this during a time where you're confident that the mark is not checking their email.  It is usually good to do this during the time that your mark is sleeping.  With that out of the way, let's start the brute forcing.
9. Log into foobar.com and there should be a place to sign into your email.  We'll want to find the link about "I Forgot My Password."  After this, sometimes you'll be asked to provide account information and answer your secret question.  This is going to be our best bet to get this done.  Go ahead and choose that selection.
10. This is where you'll make it or break it.  If you have done your homework thoroughly, you'll be able to answer the personal question correctly.
• They'll usually ask for:
• Your name.
• Your ZIP Code.
• Your email address.
• The first perimeter of security will usually let you try over and over again to guess the correct answers (so you can use your ZIP Codes through process of elimination) without locking you out.  After that first perimeter of security, you'll be asked the "Secret Question" that you've studied so hard for.  In the second perimeter you will only have a certain amount of chances to get it right before the account is locked.
11. Log into MySpace and find the spot where it says that you forgot your password.  Fill in the appropriate fields with the John Doe's email address and have the password sent to your controlled email account.
12. You now own their email and MySpace account and can do as you will.

Flip Side of Things

If you are a victim of MySpace/email hijacking, please change all of your passwords and restrict viewing of your profile on MySpace.  At the least, don't reveal so much about yourself to strangers on the Internet.

Another word of warning.

Logically speaking, if your MySpace/email account was hijacked, it was probably by someone you know.  It may be best to contact the administrators of the respective place and explain to them your situation.  If you still don't get anywhere with that and the person is still bothering you, it would be wise to begin to get the authorities involved.

Shoutz: la2600.