Stalkertrack & how they compromise your myspace account

A little information about: http://www.stalkertrack.com/

First, if you have entered your 'real myspace login info' on their page, change your password asap!

I've come across this web page that claims they can "track anybody" and it's a "Real MySpace Tracker". I decided to check it out since I was once on the profilesnoop forums writing actual tracker codes.

Well what they are advertising is in fact true - *they* can track anybody, but *you* can't, at least not anymore. The aim of this website isn't to offer a tracker anyways, it's to steal your myspace information. They trick you into giving them your information by showing you how they can track users by stealing cookies (they even tell you that much).

How come they can track users and I can't? Easy - the code they use on their profile was inserted before myspace (the piss-poor 'Cold Fusion' coder aka Tom) setup filters. These filters were setup so certain characters were rejected, mainly ' being replaced with .. to prevent any javascript execution.

O.k. so the filters are now present, why does their tracker still work? Well, since myspace doesn't want to write a script that checks every single account, (and I don't blame them, it would require a shit-load of resources with a database of over 150 million users) it will always work until the profile is edited (when the filters do their job). Myspace has became somewhat smarter & has made it so when you edit your profile every section gets passed through their new filters. This sucks for trackers because before you could hide code one section, never edit it, and forget about it - not anymore. In this 'stalkertrack' case, once the code was inserted into the profile, it wasn't touched anymore. The profile(s) (69471042) and (125940664) need to be deleted or edited by an admin.

What does the code look like that works for them? For those interested I've hosted it here. It will no longer work for you because of the myspace filters, it's just a p-o-c. The profile code executes the script here which steals your cookie (all your information - myspace id, time visited etc.) and sends it to their sql server via connect.php.

I'm still interested in tracking people that come to my page, what does work as of now? Right now - it doesn't look like much. I mean I don't spend time trying to exploit myspace, so I really wouldn't know. Does something exist? possibly a backdoored mp3 is one way, but I'm not going to explain how to do it. If interested check out this link.

I do have a lot of low friends in high places (if you know what I mean) that could take this site offline for months, but I'm not into that anymore. Educating everyone about it's operation is not only legal - but has the same cease to exist effect.

Please pass this on to your friends before they fall victim.

Questions & comments are always welcome - devz3ro@gmail.com

UPDATE: It appears profile (69471042) has been deleted - score one for Tom. It also appears that stalkertrack created this profile and many more just like it *while myspace still allowed them to insert this code* (smart on their part because 125940664 still works [and who knows however many more]) - score one for the bad guys.

It looks like this is becoming a cat and mouse game. DDoS may be necessary...

2 Comments · 807 Reads ·

Comments

Post Comment

Ratings