Tag: MySpace

Login By Username On MySpace By Emulating iPhone Login

October 31, 2009 at 8:16 PM

One day I was logging onto MySpace using the iPhone app, I was curious to try using my username (it’s your vanity URL, if not set it’s your Friend ID), and it worked. Now I’m not sure why MySpace freaks out over being able to login by the username because Facebook intentionally allowed logging in by username earlier this month.

Since this login works on the iPhone/iPod Touch, there has to be a way to bring it to the computer in order to use this method. Since my router is pretty much a Linux server running DHCP on it, I could easily run a packet sniffer in the middle to find out how the iPhone/iPod Touch was communicating to MySpace. The packet sniffer I used was shell based and is called Justniffer.

After figuring out the packet sniffer I figured out that the iPhone app uses SOAP+XML to exchange data. Once you type in the username and password, it sends the password in clear text to MySpace in order to create a hash and salt of the password. I am not sure why they really need to do this since you already sent the password over clear text, they could just save themselves a HTTP request by doing it in the actually login process.

Update 11/5: MySpace has fixed this issue and logging in by username no longer works. The following error now occurs, “The email supplied is not registered to a valid user.”

The first step of the authentication request makes the following HTTP request:

POST /SecurityService.asmx HTTP/1.1
Host: mobileservices.myspace.com
User-Agent: MySpace/1.6 CFNetwork/459 Darwin/10.0.0d3
Content-Length: 595
Content-Type: text/xml; charset=utf-8
Authorization: OAuth realm="http://mobileservices.myspace.com/",oauth_consumer_key="1000002",oauth_token="",oauth_signature_method="HMAC-SHA1",oauth_signature="MC37B2CcYBDeJPlT%2BT1jsjCZPSM%3D",oauth_timestamp="1256437313",oauth_nonce="9EC617B6-DEB7-427A-9463-B6AE3CFD8F4A",oauth_version="1.0"
Soapaction: urn:MySpace.IntegrationServices/GetSaltAndHash
Accept: */*
Accept-Language: en-us
Cookie: SessionDDF1=2962622b49c74a011793142740791e622b72e026b3477387; SessionDDF2=22b8f3a96cb338ae3990d279b29cefa01e58e2c5118f4486
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Header>
<MySpace xmlns="urn:MySpace.IntegrationServices">
<Version>iPhone: 1.6</Version>
<DeviceID>b6aaa9591ef5811e499ee1bf04758b3533eaccd7</DeviceID>
</MySpace>
</soap12:Header>
<soap12:Body>
<GetSaltAndHash xmlns="urn:MySpace.IntegrationServices">
<request>
<TokenType>Mobile</TokenType>
<Clear>p@ssw0rd</Clear>
</request>
</GetSaltAndHash>
</soap12:Body>
</soap12:Envelope>

In this example the password simply is p@ssw0rd. Notice how there is no spot for the username in this request, all it does is create a salt and hash based on that password. I have no idea why this is necessary but knowing MySpace they obviously think it is.

This request will outcome the following HTTP response:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 547
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Server: 7b262264f255ce9e4eea78ee5ed43e765b933575b6ad33d5
Set-Cookie: SessionDDF1=8c39718f6f8758c74900ce98793335c96e886d8666f52130; domain=.myspace.com; path=/
Date: Sun, 01 Nov 2009 02:52:01 GMT
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<GetSaltAndHashResponsexmlns="urn:MySpace.IntegrationServices">
<Results>
<Status>Success</Status>
<StatusCode>Success</StatusCode>
<SecurityComponents>
<Salt>Q8NysHYF/cKqV/+RES0NdA==</Salt>
<Hash>N+HrTQhAJencbKruQ2e8/qDKhELcJDq824aoSYzl5MA=</Hash>
</SecurityComponents>
</Results>
</GetSaltAndHashResponse>
</soap:Body>
</soap:Envelope>

Now since they have received the salt and hash, we can proceed onto step two of the authentication. This actually verifies the login information with the salt and hash along with the username or email it has received. This step makes the following HTTP request:

POST /SecurityService.asmx HTTP/1.1
Host: mobileservices.myspace.com
User-Agent: MySpace/1.6 CFNetwork/459 Darwin/10.0.0d3
Content-Length: 858
Content-Type: text/xml; charset=utf-8
Authorization: OAuth realm="http://mobileservices.myspace.com/",oauth_consumer_key="1000002",oauth_token="",oauth_signature_method="HMAC-SHA1",oauth_signature="L3vOxtNAADDGBRv2i16UvMoP97g%3D",oauth_timestamp="1256437314",oauth_nonce="E493D130-9496-4A17-A861-5862C657DF57",oauth_version="1.0"
Soapaction: urn:MySpace.IntegrationServices/Authenticate
Accept: */*
Accept-Language: en-us
Cookie: SessionDDF1=2962622b49c74a011793142740791e622b72e026b3477387; SessionDDF2=22b8f3a96cb338ae3990d279b29cefa01e58e2c5118f4486
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Header>
<MySpace xmlns="urn:MySpace.IntegrationServices">
<Version>iPhone: 1.6</Version>
<DeviceID>b6aaa9591ef5811e499ee1bf04758b3533eaccd7</DeviceID>
</MySpace>
</soap12:Header>
<soap12:Body>
<Authenticate xmlns="urn:MySpace.IntegrationServices">
<request>
<RequestData>
<Hash>N+HrTQhAJencbKruQ2e8/qDKhELcJDq824aoSYzl5MA=</Hash>
<CaptchaInfo>
<CaptchaLevel>Medium</CaptchaLevel>
<CaptchaGuid></CaptchaGuid>
<CaptchaImageSize>Sz120</CaptchaImageSize>
<CaptchaText></CaptchaText>
</CaptchaInfo>
<Salt>Q8NysHYF/cKqV/+RES0NdA==</Salt>
<Credential>somerandomusername</Credential>
</RequestData>
</request>
</Authenticate>
</soap12:Body>
</soap12:Envelope>

In this request we have used the hash and salt, along with the username which is called Credential here. In this example it is somerandomusername. Now since this is all sent the following HTTP response occurs:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 566
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Server: 12e0f2a61ef7e974de69e6f93fc8612bb56e8a9e86e1792c
Set-Cookie: SessionDDF1=ee28a6c308e5ab151a34f39f979df9e80737ca2a9eeb80d7; domain=.myspace.com; path=/
Date: Sun, 01 Nov 2009 02:59:28 GMT
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<AuthenticateResponse xmlns="urn:MySpace.IntegrationServices">
<AuthenticateResult>
<StatusMessage>Invalid username or password.</StatusMessage>
<Status>Error</Status>
<ErrorInfo>
<Name>InvalidCredentials</Name>
<Description>Invalid username or password.</Description>
</ErrorInfo>
</AuthenticateResult>
</AuthenticateResponse>
</soap:Body>
</soap:Envelope>

Since the the password to somerandomusername is invalid, we are presented with “Invalid username or password.” I honestly do not understand why there needs to be a creation of the salt and hash before the actual authentication request is made.

Now since I know how the requests are made, I’ve wrote a program to emulate these requests. The program was created with Eclipse using Java 1.6.

The program can be downloaded here.
The source code is included and the program may be modified and redistributed freely.
DISCLAIMER: I am not liable for ANY damages caused by this program.

Here are screenshots of the program in use:

Usage
Arguments for the program.

LoginFail
Example of a failed login.

LoginLockedOut
Example of a failed login on a locked out account. Notice in the response it says “There was an error in processing this request.”

LoginSuccess
Example of a successful login.

Posted in Issues, Programming, Social Networking | Tags: , , , , , , ,

MySpace Denies Xbox LIVE Gamercard App Twice

September 2, 2009 at 12:36 PM

In the past I deleted this app as MySpace was never willing to transfer ownership of the app to another account, however it never did get completed deleted as the canvas page still exists but it’s in private (AppID 106649). So until now I decided to recreate the app and upgrade to OpenSocial 0.8, boy was this is big waste of time. This App’s ID was 151011.

First, it was denied for these reasons:

1. Application Description
Apps that require third party registration must clearly state so in their app descriptions.
2. Loading Issues.
The Profile Surface fails to load the content and appears blank.

Okay I’ve address #1 already in the app footers, but I just make it bold and clear in the first paragraph just to satisfy them. #2 only appears when they are using all invalid Gamertags or the API is down, which I addressed by making it say a message if and when this occurs. So I resubmit and wait another 48 hours.

Then, the app gets denied again for these reasons:

1. User Experience / Functionality:
Applications must contain unique content on every application surface (i.e., canvas, home and profile pages must each contain unique content and functionality). The following surfaces are not unique: Home, Profile Surfaces

Well I can’t address #1, because in the past it was this way and they didn’t complain, and I have been requested by app users to do this a long time ago. Here are what these surfaces look like from the app screenshots:

Home Profile
xblcardhome xblcard

There was only one difference between the two, and that is the Change Gamertags link. This was also to help the user find their way around, and this satisfied a lot of users before.

No, I am not going to bother posting in their forums about it, the MDP (MySpace Development Platform) team doesn’t visit it as much anymore, and most of the app denial clarifications get unanswered. Their IRC channel #myspacedev is also dead too, only about 9 users sit in while about 90 are in the #facebook channel. So thanks but no thanks MySpace, I’ll just delete the app instead which means just more bandwidth for me, not like I was getting paid to do this anyways.

Posted in Social Networking | Tags: , , ,

MySpace Support Hell

June 8, 2009 at 5:52 PM

MySpace has no support whatsoever, what I was basically requesting was the removal of comments left by an account I deleted two (almost three) months ago. However, they don’t seem to understand the problem and do nothing.

Here’s the pointless email trip, it’s like I’m emailing a bot (I used the Report Abuse on the deleted profile, cause contacting them any other way has no effect):

From: "MySpace.com"
Reply-To: help@support.myspace.com
To: xxxxxxx@xxxxxxx.com
Subject: Re: Report Abuse - Other [ref:00D78NrS.50078tXGC:ref]

Hello,
Thank you for contacting MySpace!

After investigating the issue you described in your email, we were unable to find the content you referred to.

Please reply directly to this email leaving the subject intact with additional information. If possible, provide more details such as the location of, or a web address/link to the content in question.

For up-to-date information about MySpace page and site errors, visit and subscribe to the MySpace Help Blog www.myspace.com/myspacehelp.

To learn more about the MySpace Terms of Service, look for Terms at the bottom of any MySpace page, or copy and paste http://www.myspace.com/index.cfm?fuseaction=misc.terms into your browser’s address bar.

For answers to frequently asked questions about MySpace, select the FAQ link at the bottom of any MySpace page. Or copy and paste http://faq.myspace.com/ into your browser’s address bar.

Thank you,
MySpace.com
---------------

DO NOT DELETE:
--------------
CN:22840532:CN
LUID:005700000017GwX:LUID
LQID:00G70000001MUWT:LQID
ref:00D78NrS.50078tXGC:ref
--------------
-------------Original Message-------------
The comments from the account (Friend ID 455616001) are still appearing, especially here:

http://comment.myspace.com/index.cfm?fuseaction=user.viewComments&friendID=xxxxxxxxx&page=4&state=833!50!1!407811!382741

From: MySpace.com [mailto:help@support.myspace.com]
Sent: Wednesday, June 03, 2009 11:32 AM
To: xxxxxxx@xxxxxxx.com
Subject: Re: Report Abuse - Other [ref:00D78NrS.50078tXGC:ref]

Hello,
Thank you for bringing this profile to our attention.  We have recently experienced a technical difficulty in removing/deleting profiles within our preferred timeframe.  We are working diligently to resolve this issue, as it is our top priority to timely remove profiles in their entirety. We will continue to monitor our systems in order to improve the deletion process.

Thank you for your understanding and patience. We apologize for any inconvenience this may cause.

Thank you,
MySpace.com
---------------

DO NOT DELETE:
--------------
CN:22840532:CN
LUID:00570000000sbNQ:LUID
LQID:00G70000001MUWT:LQID
ref:00D78NrS.50078tXGC:ref
--------------
-------------Original Message-------------
Display Name: Kramer
Friend ID: 455616001

The account’s picture and comment are still appearing from this account when it has been deleted, what’s up?

From: MySpace.com [mailto:help@support.myspace.com]
Sent: Tuesday, June 02, 2009 9:42 AM
To: xxxxxxx@xxxxxxx.com
Subject: Re: Report Abuse - Other [ref:00D78NrS.50078tXGC:ref]

Hello,
Thank you for contacting MySpace Support!

Unfortunately, we need more information before we can process your request.  Please reply to this email leaving the subject intact and:

1.     State, or restate, clearly and concisely, why you are contacting MySpace Support.

2.     Include additional and specific information, including the:
Web address, URL, or links to the profile(s) you are writing about--found after http:// towards the top of your browser window in the address bar of the profile.
MySpace Friend display name.
MySpace Friend ID number.
Email address in question.
Previous email correspondence with us.
Please reply to this email leaving the subject intact.

For up-to-date information about MySpace page and site errors, visit and subscribe to the MySpace Help Blog www.myspace.com/myspacehelp.

To learn more about the MySpace Terms of Service, look for Terms at the bottom of any MySpace page, or copy and paste http://www.myspace.com/index.cfm?fuseaction=misc.terms into your browser’s address bar.

For answers to frequently asked questions about MySpace, select the FAQ link at the bottom of any MySpace page. Or copy and paste http://faq.myspace.com/ into your browser’s address bar.

Thank you,
MySpace.com
Customer Care
---------------

DO NOT DELETE:
--------------
CN:22840532:CN
LQID:00G70000001MUWT:LQID
ref:00D78NrS.50078tXGC:ref
--------------
-------------Original Message-------------5/30/2009 10:16 AM CONTACT REQUEST FORM SUBMITTED ---- Subject: Report Abuse - Other Body: Inappropriate Content Link: /index.cfm?fuseaction=help.reportabuse&abusetype=profile&ProfileContentID=455616001 Account's pictures and comments are still appearing. reportedUserId=455616001 http://profile.myspace.com/index.cfm?fuseaction=user.viewProfile&friendID=455616001 ---- UserId: xxxxxxx Name: Kramer C Email: xxxxxxx@xxxxxxx.com Current Password: New Password: New Email: Phone: DoB: ---- Browser Info:Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) Referring Page:/index.cfm?fuseaction=help.reportabuse&abusetype=profile&ProfileContentID=455616001 ---- http://profile.myspace.com/index.cfm?fuseaction=user.viewProfile&friendID=xxxxxxxx

So since all that fails, I go hit up some MySpace admin I’ve known on AIM, of course he’s no help (and why do I have to go this far?!?):

Monday, June 08, 2009
Me (2:47:43 PM): Hey, how’s it going?
MySpace Admin (2:47:56 PM): sup
Me (2:48:06 PM): Nothing much, you?
MySpace Admin (2:49:06 PM): gettting ready to leave MySpace
Me (2:49:26 PM): The company or just going home for the day?
MySpace Admin (2:49:52 PM): the ocmpany
Me (2:50:13 PM): Ah
Me (2:51:01 PM): Well I wanted to report that a deleted account still has their comments showing on someone else’s profile
MySpace Admin (2:51:16 PM): which one
Me (2:51:31 PM): Friend ID 455616001
Me (2:51:49 PM): The comments still show on here http://comment.myspace.com/index.cfm?fuseaction=user.viewComments&friendID=xxxxxxxxx&page=4&state=816!50!1!407811!382741
MySpace Admin (2:51:53 PM): the acct may not be deleted but in limbo
Me (2:52:06 PM): Weird
Me (2:52:24 PM): It was one of my old accounts that I deleted myself
MySpace Admin (2:52:32 PM): if you are in limbo all your comments stay live but you cant get into the acocunt
MySpace Admin (2:52:40 PM): ok Ill look into it
Me (2:52:59 PM): Okay thanks

Nothing has happened to resolve this, just another reason why MySpace sucks, they can’t even get their act together.

Posted in General | Tags: , , , , ,

MySpace Sucks

May 16, 2009 at 12:12 AM

I’ve said it many times, MySpace sucks, and you’ve probably seen many articles or posts about this but I am as well going to put in my say.

From a developer’s point of view, their documentation sucks. I’ve written an app before on MySpace, before I decided to pull the plug on it. Today I decided to tinkering around with the old app and probably republish, but yet changed my mind. The documentation just totally sucks for OpenSocial 0.8, there are no examples, the current examples are for OpenSocial 0.7. What I did with the old app that was live was that I spent all over the forums looking for examples, but documentation for OpenSocial 0.7 wasn’t that horrible, but still bad. Facebook’s documentation is even better than MySpace’s. I also find out that development mode (or version) was completely broken cause MySpace wants to do all vanity URLs something like what Twitter does. So now if you make a change to a live app, and want to test it, you can’t.

Now for pretty much any end user’s point of view (yes, that’s you). Obviously from first glance, MySpace is pretty bloated with ads. There are ads everywhere. That’s no problem for me though, since I use AdBlock Plus to hide them all. Of course Myspace is also infested with spam, pointless drama, immaturity, etc.

Anyways, the privacy sucks. What I noticed with Profile 2.0, is that you can hide your age and location. Cool, however it’s still shown on MySpace mobile and in search, totally ruining the point of doing that. Just recently there was a new feature called Status Comments, now people can comment each others status updates. Awesome, however that’s like a rip from Facebook, and it has spam issues, and they can’t be disabled.

Today, they launched MySpaceIM Web for every region, and amazing it’s like a complete copy from Facebook. It’s like MySpace resorting to what Friendster did in the past after they beat them out.

Also, MySpace sometimes has glitches when deleting an account, such as information not completely going away, such as comments, default picture, and display name. Usually it’s suppose to delete all of this. In rare cares, deleting an account may be impossible even after confirming the email, cause it never processes. I wouldn’t recommend it but you might be stuck violating their Terms to get your account deleting, since their Customer Service sucks that bad, sometimes they never respond, and other times you just get excuses (or responses saying the exact thing you already did).

I also noticed they came with a new URL shorting service called lnk.ms, although they can only be generated through status updates. Clearly they are copying Twitter as well, but trying to be their own by creating their own URL shorting service, and also with the lame 140 character limit they decided to copied too.

Of course then you got the Local Reviews crap that no one cares about, like why does this belong on a social networking site. If I wanted to read reviews, I’d use Google or go to a reviews site, not MySpace. Same for going to look for a job, posting an ad or hell even to watch videos.

MySpace is already losing lots of traffic, that’s why they are resorting from copying Twitter and Facebook. Facebook already exceeds MySpace on Alexa, as shown in this picture:

facebookvmyspacestats

All MySpace is trying to do is surviving, but really failing at it.

Posted in Social Networking | Tags: , , , ,