Preventing MySpace Hotlinking

Or "How to force MySpace hotlinkers to Sign Out"

MySpace is a popular social networking web site which offers an interactive, user-submitted network of friends, personal profiles and blogs.

Unfortunately, millions of MySpace users seem to think it is acceptable to hotlink externally hosted images on their profile pages by using inline <img> tags. This usually results in two bad things:

Both of these issues annoy me. I am a keen photographer and have a web site containing thousands of my photos. Lots of MySpace users seem to stumble upon my photos via the Google search engine and proceed to hotlink them as inline images on their profile pages, despite the clear copyright notices associated with each image. This goes to back up my theory that MySpace users can't, like, read and stuff.

After I realised I was wasting literally gigabytes of bandwidth each month to these MySpace hotlinkers, I figured it was time to have a bit of fun with them.

Fun with mod_rewrite

Initially, I thought it would be fun to use the Apache module mod_rewrite to redirect image requests that originated from MySpace profiles. I'm sure other people have done this before, but I found it rather amusing to see "sexybabe84"'s background image replaced with something like evil-animated-slow.gif.

Of course, I could have replaced the image with something slightly more evil, like goatse, but I am not quite that nasty. I'm not sure which image is most harmful to the eye, but if you don't know what goatse is, then you are probably better off never knowing.

This is what I added to the .htaccess file in the root directory of my web server: 

# Rewrite .jpg requests that originate from MySpace.
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9]+\.)?myspace\.com/ [NC]
RewriteRule \.jpg$ images/evil-animated-slow.gif [L]

The rewrite condition checks to see if the HTTP referrer header starts with something.myspace.com. Then, if the requested filename ends with ".jpg", the file at images/evil-animated-slow.gif is returned to the client instead. Genius.

I find it mildly amusing to tail an Apache log file and discover new MySpace profiles that hotlink my images. In some cases, the hotlinked image is used as a tiled background, which makes my brain explode. The profile owner is often unaware that their profile has been 'defaced' by the rewritten image, as their browser will have cached the hotlinked image from when they first viewed it on my web site. To the profile owner, the site looks normal, whereas their visitors will be subjected to a cerebral hemorrhage.

Unfortunately, I quickly realised that this approach did not act as an effective deterrent for one simple reason:

The net result is that nobody will actually notice that the MySpace profile has been 'defaced' because visitors will be accustomed to profiles looking, well, a bit crappy. Therefore, my bandwidth will still be gobbled up by all those kewl d00ds out there on MySpace.

It was time to devise a more cunning attack vector.

Forcing MySpace users to Sign Out

While I was trying to think of a better/funnier thing to do with all these hotlinked images, it suddenly occured to me:

What if I redirect the hotlinked images to something that isn't an image?

You may ask what the point of that is. Well, for what I was thinking of, it doesn't matter if they see the image or not as long as their web browser makes a request for it.

Say, for example, I redirect the image to something like http://collect.myspace.com/index.cfm?fuseaction=signout

Accessing this page causes a MySpace user to be logged out. No confirmation is required; they are simply logged out. Pure evil was brewing in my mind now.

So, I went forth and modified my mod_rewrite rule: 

# Force MySpace image/bandwidth thieves to log themselves out :)
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9]+\.)?myspace\.com/ [NC]
RewriteRule \.jpg$ http://collect.myspace.com/index.cfm?fuseaction=signout [R]

Unfortunately, I had to set up a MySpace account to test this out. After I had got over the initial shock, I logged in and hopped along to one of the profiles that contained one of my hotlinked images...

I did not see my image appear. This was to be expected - while the rest of the page was loading, my web browser silently made its request to the inline JPEG image on my web server.

Here's where the magic kicked in: my web server detected that the image was being requested from a Myspace profile and thus returned a 302 Found response, informing my web browser that the photo was actually located at http://collect.myspace.com/index.cfm?fuseaction=signout

My web browser then requested the 'image' from http://collect.myspace.com/index.cfm?fuseaction=signout. Because this page did not actually return anything that could be interpreted as an image, it was not displayed inline by the browser. Nonetheless, the web browser made a request to this URL, which caused the MySpace server to terminate my session. When I then attempted to click on the user's photo, I was greeted with a page that said, "You Must Be Logged-In to do That!"

Success! Anyone who views a profile which contains one of my hotlinked images will be automatically logged out of MySpace. *Chortle*.

This is known as a CSRF attack. That's "Cross-site Request Forgery", which essentially means I am causing someone else to visit a URL of my choice, and it is being accessed in the context of their browser session. Because this request is made via an inline image, the victim is unlikely to notice that it has happened but will nonetheless find themself mysteriously logged out of MySpace. Anybody who hotlinks images is making themself and their visitors vulnerable to this kind of thing.

So, the moral of this tale is this:

 

Search this site

 

Copyright Paul Mutton 2001-2013
http://www.jibble.org/
Feedback welcomed
email

~
Dreamhost
Web Hosting

~
Dreamhost
Web Hosting