Posts Tagged ‘MySpace.BeaconData’

Dissecting a MySpace page

Tuesday, May 17th, 2011

myspace-300x81Having not seen this done anywhere else, I decided to look at some basic MySpace pages at random and determine if I could find anything in the source code that might be of any investigative interest.

In general, the source code of a MySpace page has lots of HTML code, but much of it is of no use to the investigator because it does not identify the user or provide investigative leads. There are, however, a couple of interesting things to be found if you look for them.

The actual server location of an image file

Images on a MySpace main page are not embedded in the page. They are linked to a separate web address at www.msplinks.com. Here is a real example randomly gathered from a MySpace page of an image that was on the page:

href=”http://www.msplinks.com/MDFodHRwOi8vdmlld21vcmVwaWNzLm15c3BhY2
UuY29tL2luZGV4LmNmbT9mdXNlYWN0aW9uPXZpZXdJbWFnZSZmcmllbmRJRD0y
ODYzNDc4JmFsYnVtSUQ9MjExNDE2NSZpbWFnZUlEPTQ0OTU4MTY2″>

This highlighted portion of the code which is obfuscated and is actually encoded in Base64:

MDFodHRwOi8vdmlld21vcmVwaWNzLm15c3BhY2UuY29tL2luZGV4LmNmbT9mdXNl
YWN0aW9uPXZpZXdJbWFnZSZmcmllbmRJRD0yODYzNDc4JmFsYnVtSUQ9MjExNDE
2NSZpbWFnZUlEPTQ0OTU4MTY2

The Base64 translation of this portion of the code is:

01http://viewmorepics.myspace.com/index.cfm?fuseaction=viewImage&friendID=2863478&albumID=2114165&imageID=44958166

The Base64 translated link contains the friendID of the page it is from and what appears to be a uniquely assigned imageID.

The www.msplinks.com address is just a white page when you go there. However, when you look at the source code for this page you see some “old school letters” spelling out myspace.com:

myspace

Embedded video files and their original location

If you right click on an embedded video and select “copy embedded HTML” and paste that into a separate document, you can review the code and find the video location.

Actual example of an embedded video from a random MySpace page:

<imgsrc=”<object width=”640″ height=”390″><param name=”movie” value=”http://www.youtube.com/v/Xz2MWedTbP0&hl=en_US&feature=
player_embedded&version=3″></param><param name=”allowFullScreen” value=”true”></param><param name=”allowScriptAccess” value=”always”></param><embed src=”http://www.youtube.com/v/Xz2MWedTbP0&hl=en_US&feature=
player_embedded&version=3″ type=”application/x-shockwave-flash” allowfullscreen=”true” allowScriptAccess=”always” width=”640″ height=”390″></embed></object>

The actual page location on YouTube of the embedded video from above example:

http://www.youtube.com/v/Xz2MWedTbP0

Finding the FriendID

I also found the MySpace FriendID in several different locations in the pages source code. A simple search for “FriendID” will find the numerical Friend ID used by MySpace.

Here is a random example of a FriendID found in MySpace source code:

var MySpaceClientContext = {”UserId”:-1,”DisplayFriendId”:281346014,”IsLoggedIn”:false,”FunctionalContext”:
“UserViewProfile”,”UserType”:1};

This is the Myspace ID # that corresponds with the MySpace user name:

DisplayFriendId”:281346014

Add the Friend ID to the MySpace URL and it will take you to that friend’s page.

http://www.myspace.com/281346014

Tracking Code

I also found something of interest to the investigator and a good reason not to use your agency/company computer network to look at a MySpace page. Without much effort I found the code for MixMap. MixMap is tracking code that can be used to identify the IP addresses of anyone viewing a MySpace page. You can register at www.mixmap.com for access to your account and to prepare unique code for insertion on your MySpace page.

In a real example I found the following tracking code located in the MySpace page’s source code:

<a href=”http://www.msplinks.com/MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v”
target=”_new” title=”MySpace Tracker”>
<img src=”http://www.mixmap.com/661165/no_image_tracker_strict.jpg” border=”0″ height=”1″ width=”1″ style=”visibility:hidden;” alt=”MySpace Tracker” /></a></style></span>

<a href=”http://www.msplinks.com/MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v” target=”_new” title=”MySpace Tracker”><img src=”http://www.mixmap.com/661165/no_image_tracker_strict.jpg” border=”0″ height=”1″ width=”1″ style=”visibility:hidden;” alt=”MySpace Tracker” /></a></style></span>

This portion of the code is actually encoded in Base64:

MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v

The Base64 translation of this portion of the code is:

01http://www.mixmap.com/

MySpace beacon data

Another thing I found a little disturbing about MySpace was what it is collecting on its pages. I located the following code labeled MySpace.BeaconData, which indicates that MySpace appears to be tracking persons viewing MySpace pages. Not that this is unusual from a marketing point of view. But the investigator should be aware that s/he is being tracked.

In the abbreviated random example below, you can see in the bolded portions the city, state and country I am coming from, as well as my computer’s operating system and the version of Internet Explorer I was using.

MySpace.BeaconData={”dsid”:”2″,”dsv”:”1″,”rd”:”browseusers.myspace.com”,”rqs”:”",”refpg”:
“/Browse/Browse.aspx”,”rpf”:”Browse”,”d”:”www.myspace.com”,”qs”:
“friendID=2863478″,”pf”:”UserViewProfile”,”fa”:”",”pgnm”:
“/Modules/Profiles/Pages/Display/Profile.aspx”,”cip”:”1290290619″,”pc”:”en-US”,”pid”:”405384887825081977″,”pidf”:”0″,”ABtd”:”0″,”t”:
“1287086098069″,”ct”:”1287086098069″,”ci”:”Reno“,”st”:”NV“,”co”:”US“,
“dmac”:”811″,”uff”:”0″,”uatv”:”br=MSIE 8.0&os=Windows NT 6.1“,”sip”:”170659174″,”uid”:”-2″,”pggd”:
“e327762c-2571-4e8f-b47f-d5fb46a670e5″,”prid”:”2863478″,”ili”:”0″,”at”:”1″,”cfv”:”0:0:0″,”cef”:
“0″,”sliu”:”0″,”pref”:”0″,”kvp”:”bt=0

In the following abbreviated random example I used the Tor network to hide myself, and you can still see (in the bolded portions) the city, state and country the Tor exit node was located:

MySpace.BeaconData={”dsid”:”2″,”dsv”:”1″,”rd”:”",”rqs”:”",”refpg”:”",”rpf”:”",”d”:”www.myspace.com”,
“qs”:”friendID=542455573″,”pf”:”UserViewProfile”,”fa”:”",”pgnm”:
“/Modules/Profiles/Pages/Display/Profile.aspx”,”cip”:”3493170727″,”pc”:”en-US”,”pid”:”405384887825081977″,”pidf”:”0″,”ABtd”:”0″,”t”:”1287100961997″,”ct”:
“1287100961997″,”ci”:”Woodstock“,”st”:”IL“,”co”:”US“,”dmac”:”602″,”uff”:
“0″,”uatv”:”br=MSIE 8.0&os=Windows NT
6.1
“,”sip”:”170663537″,”uid”:”281346014″,”pggd”:”c1834a83-d897-44a8-adfe-
93e8f959c60e”,”prid”:
“542455573″,”ili”:”0″,”at”:”2″,”cfv”:”0:0:0″,”cef”:”0″,”sliu”:”0″,”pref”:”0″,”

In this example the Tor exit node just happened to be in Illinois. From an investigative standpoint, the investigator should know what s/he is exposing to the target website.

I’ll continue to review pages and comment as I find anything interesting. If anyone else has any good tidbits about MySpace or any other social networking sites let me know in comments.

Todd Shipley is Vere Software’s president and CEO.