So the last couple of days I’ve been fooling around with Hypem, both looking into finding their mp3 files and some of the mechanics in that. Moreover I did a quick look for some simple exploits as well. I’ll present my findings starting with the mechanics of finding their mp3 files and hereafter I’ll get to some exploits and some cookie stealing/session hijacking when going over some of their javascript.

If you don’t know what Hypem are then you have been living under a rock. But, this is how they describe themself: “The Hype Machine keeps track of what music bloggers write about. We handpick a set of kickass music blogs and then present what they discuss for easy analysis, consumption and discovery. This way, your odds of stumbling into awesome music or awesome blogs are high.” - http://hypem.com/about. Their rank on Alexa can be found here: http://www.alexa.com/siteinfo/hypem.com

Finding Hypem mp3 files

So I first wanted to be able to download the awesome music from Hypem which is why I downloaded some plugin for FF in order to do so. But the plugin was bad, I had to go through every song and press download or use another plugin which messed up the naming of the files. Therefore I broke down the plugin in order to find out how they got the files in the first place.

Basicly the url of the mp3 files can be found in two ways (found the second one later on):

http://hypem.com/serve/play/[id]/[key]

http://hypem.com/serve/source/[id]/[key]

The /serve/play one will do a redirect to the mp3 file which then can be downloaded. The /serve/source one on the other hand will give you a bit of JSON data with the id of the track, the url to the mp3 and a bool final which allways seems to be true (what I’ve seen so far). The JSON for one of the tracks is shown below (You don’t need to try to download the file, the link is broken on purpose)

{
   itemid: "gmef"
   url: "http://t01a.hypem.com/sec/5e3cf3001fck75d3bb1de182b959a89b/51ed41f1/archive/614/10/1eaca15ec90abcde181efk144d146d8b.mp3"
   final: true
}

Getting this far is quite easy when being in a browser (which is maybe why there are no standalone programs that I could find) which takes care of cookies etc etc. But when I was doing my own program in C# as a program on the side I ran into a couple of problems.

I started by getting the Hypem pages after remembering to add a User-Agent in the headers of the HTTP request. Otherwise I wouldn’t get any real content. Getting the ids and keys for the URLs was next on the agenda, luckily Hypem got all of that in their source in a format like this:

trackList[document.location.href].push({
   type:'normal',
   id:'ad5sf',
   postid:'1539980',
   posturl:'http://www.themusicninja.com/folk-st-vincent-surgeon/',
   time:'265',
   ts: '1311368622',
   fav:'0',
   key: '63f38d627b20d16aad38c67cbe1ed2b6',
   imeem_id:'',
   artist:'St. Vincent',
   song:'Surgeon',
   amazon:'',
   itunes:'',
   emusic:'',
   exact_track_avail:'0'
});

So I created a function which took the input in form of a Hypem HTML source and returned a list of Track objects which all had been extracted from the source. The extraction was quite simple; select all <script> tags where trackList[document.location.href].push({ was to find in the tags innerText. Then parsing the innerText of the selected tags using a couple of RegEx’s to extract the values. Fx. extracting the key could be done using this RegEx (returning the hex value of into the group keyValue):

\skey\:\s?\'(?<keyValue>([a-fA-F0-9])*)\'\,

From there I just needed to download the files, right? Almost, since the keys are uniqe to the AUTH cookie I first had to pretend being a browser by getting a AUTH cookie on my first request to Hypem (Header Set-Cokokie was recieved from the HTTP response) and then using it in the future requests including getting the download URLs. Here you can see the Set-Cookie header recieved, we’ll come back to that later on:

Set-Cookie: AUTH=03%3Adaae3967194bfaa0232a8b0e0aa0a331%3A1311612064%3A1047226477%3A07-DK; expires=Wed, 21-Jul-2027 16:41:04 GMT; path=/; domain=hypem.com

Otherwise I would get URLs that I could’t download. This is properly made in order prevent users from sharing the /serve/* URLs or some other reason that I havn’t found yet. When getting the download URLs I used the /serve/play option then following the HTTP 302, redirecting me to the right download URL.

So if you want to create your own fun little program for surfing Hypem remember to

• Set your User-Agent header
• Reuse your AUTH cookie

Another fun little thing with Hypem’s HTTP headers is the header X-Hacker:

X-hacker: Hey, if you're reading this, you should drop us an email at hypem.com/contact, maybe we can work together!

Exploits and other fun investigation

While I was at it I did a quick look for things like SQLi and XSS’s. I didn’t find any SQLi’s (so far), but I did found a couple of XSS’s:

http://hypem.com/soundcloud-embed.php?set=planningtorock/sets/w-hype-machine-exclusive/s-8ev0R';alert(document.cookie);var x='
http://hypem.com/search/"><script>alert(document.cookie)</script><div class="/1/

Well these I think speak for themselves. Easy to do a lot of fun with and with some of Hypem’s custom JS functions it’s even easier if you want to automate the process. Hypem godt a HUGE (~2600 lines beautified) JS file with their own functions, helpers etc. If you want to have a look for yourself it’s here (minified): http://static-ak.hypem.net/rev_1311597164/js/hype_functions_min.js. These are some of the most fun I think:

• get_cookie(name)
• set_cookie(name, value, expires, path, domain, secure)

You can of misuse these two functions in an XSS, using get_cookie(‘AUTH’) (or just document.cookie) and send it to your own server for later use. Then XSS yourself and using the set_cookie(…) function to easily set the AUTH cookie. The path, domain etc. you could find in the Set-Cookie header gotten earlier. Mind that the expires variable indicates how many days from the current time the cookie should be set, you can really set it to whatever. An example use of set_cookie(…):

set_cookie('AUTH', '03:32ceca302374836fd91f11eb76e0bad9:1311506102:1047226477:07-DK', 10, 'hypem.com', '/', false);

Fixing the XSS’s is rather trivial, escape the strings properly in taking into account where the strings are being echoed and then that’s that. No more XSS and no more session hijacking.

I full list of functions you have here:

function set_ad_vars()
function dfp_extras_var_passthru()
function dfp_extras_passback(country)
function refresh_user_menu()
function page_url_state_init()
function load_url(url, action_src)
function check_hash_change()
function rewrite_links()
function get_cookie(name)
function set_cookie(name, value, expires, path, domain, secure)
function get_visitorid_from_cookie()
function hide_notice(cookie_key)
function set_site_queue(queueItems)
function get_site_queue()
function getQueryVariable(variable)
function load_search()
function urlencode_kinda(str)
function load_random_search(forced)
function load_random_track()
function trim(str)
function get_unix_time()
function sec_to_str(nSec)
function toggleLayer(whichLayer)
function getOffX(o)
function sm_onload()
function sm_onplay()
function sm_onresume()
function sm_onpause()
function sm_onfinish()
function sm_whileplaying()
function sm_whileloading()
function sm_start_drag(evt)
function sm_follow_volume_drag(evt)
function sm_follow_progress_drag(evt)
function sm_end_drag(evt)
function sm_update_volume(evt, t_elt, morph)
function sm_update_progress(evt, t_elt)
function sm_toggle_mute()
function loadNextTrack(skip)
function retryLoadTrack()
function beginFadeTransition()
function fadeInSound(soundObj, amount, ms_delay)
function fadeOutSound(soundObj, amount, ms_delay)
function is_fade_enabled()
function is_html5_history_compat()
function update_current_play_ctrl(mode)
function togglePlayByItemid(itemid, evt)
function is_spy_page()
function is_shuffle_page()
function togglePlaySimple()
function togglePlay(id, evt)
function stopTrack()
function playTrack(skip_prompts)
function nextTrack(clicked_obj)
function prevTrack(clicked_obj)
function set_track_bg(fileid, color)
function set_now_playing_info()
function toggle_favorite(type, id, gray, skip_prompt)
function show_all_tracks(elt)
function show_buy(pos)
function expand_hyped(list_parent)
function enable_notification_check()
function check_notification()
function disable_notification_check()
function enable_playback_check()
function playback_check()
function disable_playback_check()
function toggle_item_activity(type, fileid, page)
function update_item_activity(type, fileid, page)
function load_item_activity(type, id, pos, page)
function toggle_item_graph(id, force, pos)
function load_item_graph(id)
function show_sidebar_info(uid, method, section)
function set_nav_item_active(eltid)
function setup_player_bar()
function hide_player_bar()
function show_player_bar()
function blog_search()
function blog_search_keyup()
function blog_directory_switch(tab)
function radio_update()
function load_gs_player(pos, gs_id)
function next_review(pos)
function prev_review(pos)
function show_review(pos)
function updateUrl(value)
function checkEmail()
function create_account(type, id, form_type)
function user_login(type, id)
function post_login(type, id)
function post_username_change()
function cancel_iframe_dialog(redir_to)
function checkPw()
function change_password(old_pw, newpw, key)
function change_username(pw, new_username)
function change_email(pw, email)
function user_logout()
function user_forgot()
function display_twitter_score()
function save_location()
function UploadToS3()
function lightbox_close_handler(lightbox_url)
function contact_show_tips()
function save_account()
function request_confirmation()
function unlink_twitter()
function save_twitter()
function unlink_lastfm()
function save_lastfm()
function show_lightbox(type, url, arg1)

Also there is the wonderful function debug(q, w, e, r) defined like this:

window.debug = function(q, w, e, r) {
    if (!document.location.href.match(/dev.hypem.com/)) {
        return false;
    }
    try {
        if (typeof console != 'undefined') {
            console.log.apply(console, arguments);
        }
    } catch(err) {
        if (typeof console != 'undefined') {
            console.log(q, w, e, r);
        }
    }
};

This function is great, if you are a dev or someone interested in get a deeper look at the inside of Hypem. Unfortunately I’m not a Hypem dev (hint, hint) and the dev.hypem.com requires username/password, so I’ll just redefine the function with this:

function debug(q,w,e,r){
    if (do_debug==false) {
        return true;
    }
    try{
        if(typeof console!='undefined'){
            console.log.apply(console,arguments);
        }
    } catch(err){
        if(typeof console!='undefined'){
            console.log(q,w,e,r);
        }
    }
}

I introduced the variable do_debug, a bool enabling the debug in the console. You should really take a look at the debug messages, a lot of fun stuff to see actually.

Needless to say there are a lot of fun XHR requests going on at all times on Hypem which you’ll find out when debugging the site and looking at the XHR requests. Logging action, radio fun etc. etc. etc. All of this is kind of expected with a site like Hypem where almost all of the stuff is happening via AJAX in order to keep the music playing.

The site also got a bit of fun variables when being logged in and logged out. Without going into depth with all of them here’s the list:

var trackList = {};
var activeList = document.location.href;
var currentTrack = 0;
var currentPlayerObj = Array();
var activeItem;
var currentUrl;
var prevUrl;
var is_logged_in;
var logged_in_username;
var playback_allowed;
var dragging_position = false;
var dragging_x;
var isReady = 0;
var playerStatus = "";
var playerDisplayed = "normal";
var playback_event_timeout = 0;
var playback_event_count = 0;
var playback_manual = 0;
var player_position;
var player_duration;
var player_volume = 50;
var page_updater;
var notificationTimeout = 0;
var updateSpy = 1;
var album_rs = Array();
var album_r_curr = Array();
var autosearch_blogs;
var radio_timeout = 0;
var radio_now_fileid = 0;
var radio_now_data = {};
var radio_counter = 0;
var radio_notificationTimeout = 0;
var master_ord;
var master_passback;
var ad_feedback_code;
var ad_feedback_position;

I think all of the variable names makes so much sense that I don’t want to explain what each of them do, you’ll have to have fun with that yourself.

Domains, servers etc. etc.

Here’s just a little bit of info from a quick look at the server, domains and subdomains at Hypem. Not that interesting but there you have it.

Hypem.com is hosted at 205.251.139.43 (US) together with 2 other domains: buymusic.org and hypem.mobi. Properly a VPS for their main stuff I guess. 5 DNS servers from dnsmadeeasy.com used, some load balancing there also. (http://www.robtex.com/dns/hypem.com.html, http://toolbar.netcraft.com/site_report?url=http://hypem.com)

The subdomain dev.hypem.com is hosted at 205.251.142.11 (US). No sharing on that server, properly just an isolated test server for lulz. (http://www.robtex.com/dns/dev.hypem.com.html).

Subdomain blog.hypem.com is over at 69.163.207.2 (US). Sharing the IP with a couple of weird domains besides from thehypemachine.net.

Hypem uses a S3 bucket for their users profile pictures, that’s here: http://faces-s3.hypem.com/.

Furthermore they got (maybe) 8 servers for hosting their mp3 files at http://t01a.hypem.com/ –> http://t08a.hypem.com/. There are other hosting servers also I’m sure, maybe some soundcloud thingy.

I think that’s it for now, I’m going to beeed.

Speed

I started with some benchmarking: http://e-x-e.dk/labs/timing/ (source: http://www.e-x-e.dk/labs/timing/source.php).

This basically creates 10000 random strings with a length of 50 and then encrypting all of these random strings with all of the hashing methods of my php installation’s disposal. This outputs a sorted list of the methods. The consequents of choosing fx a slow hashing method means that you’ll have a bit more load on your server since speed == load. But then again, choosing a slow hashing method will also mean a slower bruteforce for the hacker – buying your users (or you) more time to change their passwords and you closing the hole. But you’ll have to remember that where your bigger load/increased hashing-time caused by the slower hashing method is spread out the bruteforcers isn’t. So it’ll be a bigger hit to the bruteforcer than it will be to you.

Common vs. uncommon method

When choosing a hashing method it can also be a benefit from my point of view to choose a less common method for hashing your password/information if you have the option. And the argument is quite simple I think. With common methods like md5 which is used by the majority of sites today there are already constructed huge (HUGE) rainbow tables etc. (http://www.freerainbowtables.com/da/tables/md5/). Therefore by choosing a common hashing method you are also decreasing it effectiveness since a lot of the string combinations have already been computed.

Choosing a more uncommon hashing method will get rid of this problem, but then again, this maybe result in a slower computing of the hash as well, and for some – that’s a problem. By choosing a fx a tiger(2), SHA-1 or SHA-512 hash over fx. md5 you would decrease the effectiveness/speed of the bruteforce.

Hash method attacks

The effectiveness of a hash method is of course also influenced by if it has been fx collision attacked (http://en.wikipedia.org/wiki/Collision_attack) or a preimage attack (http://en.wikipedia.org/wiki/Preimage_attack). Therefore you should also have this in your considerations when choosing a hashing method for your site.

Other things to consider

Things like salting your passwords etc etc is naturally also a good idea (maybe even with some HUGE salts, to ensure the length of the password extends the typical length of passwords and thereby setting the rainbow tables out of play). Some of these considerations might come in a later post.

I think there a lot fo pros and cons in this matter but as a general conclusion I think it’s time for the use of some more uncommon hashing methods in order to strengthen the security of information if hashed information is compromised. What do you think is the best hashing method to use and why?

So  I started with stealing a basic example, cleaned it down, leaving only the raw gadget. From there I used the “gadgets.util.registerOnLoadHandler(init);” functionality to load potentially malicious code onLoad of the Gadget. This can be used to prompt the viewer of the Gadget for eg. login information. The normal trusting user wouldn’t suspect this risk since it was prompted by Google Wave, right?

Passing on I’ve created a couple of buttons in the Gadget which called a couple of Javascript function which did a couple of different things, one simple alerted the user, just to show that you could do anything.

One button changed window.top.location, sending the user to a completely other site, away from the “protecting” environment of Google Wave.

One button got the viewers Google Wave ID (an email), his/hers display name and his/hers thumbnail url. This could maybe be used to created fake accounts on websites, compromising the viewers exclusive use of his/hers email. Of course the email could also be harvested and sold to spamming bad guys with a lot of “Great deals on Viagra”.

The last button I created in this little Gadget example did also change the window.top.location but this time not to an url but instead to some data:text/html – base64 encoded. This could be used to show ads or propaganda to the viewer without a possibility to block a specific url, since this was content defined in the Gadget’s code itself.

This is what I’ve been doing the last day or two I have you read this and spread the word and of course leave a comment or a trackback. As said I’ll be back with more Google Wave security when I get access to the Sandbox

My Gadget can be viewed and tested at this URL:

http://e-x-e.dk/labs/waveHack/hack1.xml

Anyway, I wanted to watch a movie and that’s no problem when we got a NAS at home but the DLNA server of the device is setup to only take content from the music folder on the device (for some reason the DNLA server in the NAS can only provide content from one folder). So I had to find another way to push content to the PS3 system. I knew I wanted to use the network connection since the whole house is build on this network anyway, and secondly I’m rather lazy. Furthermore I really wanted to take advantage of the build-in DNLA streamer/player in the PS3 so I had to setup some kind of DNLA server on my laptop or other kind of computer.

I Googled around the interwebs and found Java PS3 Media Server at Google Code. It’s an awesome project which I hope continues. Well the project looked really nice and I downloaded and installed the server only my laptop which easily should be able to serve the content seen from a processor (Intel Core 2 Duo, 1.8 GHz) and memory (3 GB) point of view.

First I tried to stream some random video content and is ran smoothly but when I choose a bit more demanding kind of content the stream just couldn’t keep up with the demand. I firstly tried to lower the transcoding settings and looked at the network load at the same time. This is what I found:

Note that I boosted the transcode buffer maximum size up to 600.0 MB.

Streaming audio

I set the default quality of audio streaming down from 640 KBit/s to 320 KBit/s and I did that first of all because I wanted to keep my portability and not needing a network cable plugged into both the laptop and the PS3 which both were operating wirelessly. Secounly I didn’t need all of that quality since I rip my CD’s at 320 KBit/s and the transcoding was going into AC3 which means that even at a low bitrate I would get rather good quality out of the Samsung LE32B535 which is connected to the PS3. I also changed the number of audio channels from a whooping 5.1 (6 channels) to stereo (2 channels) again because I wanted portability and I wasn’t streaming to any surround sound system.

When buffering a song the network load hits properly just maxes out. When the starting buffer is full and streaming normally the network load is just around 125.000 byte/sec (0.96 Mbit/sec) which I think is really good (when filling rest of the buffer). Keeping the normal network load under 1 Mbit/sec. means that nearly every wireless setup will be able to stream smoothly.

Streaming pictures

Not much to say here to be quite frank. The times it takes for the pictures to load is of course dependant of the size of the pictures and of course the maximum network speed.

Streaming video and problems

Good software always have a butt, and this one got a bad one of those. My network connection couldn’t keep up with the request of data and therefore the video was a real pain the in ass to watch. Well this only happen with some movies. I tried ripping in different bitrates at 1800 kilobyte/sec. the video stuttered every some seconds, but at around 1150 kilobyte/sec the network connection could keep up, but only just (stutters sometimes). So the real pain in the but is the network speed, I would recommend using cables (at least 100 megabit/sec. of course) when streaming stuff to your PS3 using this software. You could use at lower bitrate but then it wouldn’t really be fun to watch on a full HD monitor, right?

I think you should try it out In my tests both my PS3 and my laptop was in the other range of the wireless access point. When I get the time I’ll try the same tests with both devices connected to the network with cables.

Unserious stuff:

http://soundcloud.com/obd/obd-nu-ar-jag-en-cider-feat-hakan-roswall  - A song created by some dude, really fun. If you understand it.

http://spectrial.virvelvind.net/ – The place I got the song from above, here is some really fun stuff as well. More song, a Roswall-nonsense generator etc.

http://en.wikipedia.org/wiki/King_kong_defense – The wiki talks for it self.

Serious stuff:

The English translated version of all the news, twitters etc. from the case: http://74.125.19.132/translate_c?hl=da&langpair=sv%7Cen&u=http://live.piratpartiet.se/&usg=ALkJrhiLOLGPFWYRkZspxZZMrSFEJHQ1YQ

The place where you can listen to the trial LIVE: http://www.sr.se/webbradio/webbradio.asp?type=live&Id=SR-Extra01&BroadcastDate=&IsBlock

Except this I’ve used my 5 minute break on this wallpaper today. It comes in 2 sizes: 1600x1200 and 1900x1200 this should suit anyone.

1600x1200

1900x1200

The original PSD file for the 1600x1200 version

The TPB font

Please create more fun and fantastic wallpapers and such and post a comment or a ping to this post.

I’ve been busy dancing, working and with my second year as a college student. As said I’ll try to start blogging again and hopefully you’ll comment this and my future post as motivation.

See ya’ all

Thomas

I'm going to write the tips in a chronology order as the day goes a long.

Morning: Get up early and start the day good. This could be a general tip for anyone but it's really important to get up early. In that way you'll have a whole day instead of just a half one. It's better to start early and end the day early than starting the day late and end the day very late!

And get really up, I mean you have to get up, take a shower, eat breakfast and get properly dressed before you work. You can't work in a pyjamas.

Noon:Make sure you get normal breaks. One at noon for lunch and one in the afternoon. In that way you don't have to leave your work behind because your starving.

NOTE: Do not take your break the same place your working, otherwise it isn't really a break. Have some zones in the house with work-only and non-work.

Afternoon and night: When the working day is about to end then end it. Don't "take your work home" otherwise you'll just keep working (or thinking at work).

General tips:

Separate your time. Don't take a hour out of your working day to raid in WoW or anything like that. You'll forget everything about work and keep playing (I've tried that one). AND: limit distractions, avoid TV, (non-)VOIP and phone calls etc.

Have a good working plan. Make a plan (maybe) a month ahead so you have some goals of the day. Else it can be hard to know what you've just spend a whole day working on.

Dedicated to my dear friend Stefan Bohlin, your the greatest dude! I wish you the best of luck with your firm!

Well I'm going to review:

• Club 3D - Radeon 9800 PRO
• Maxtor Onetouch 3 300GB
• Creative X-Fi X-treme Music
• LG Flatron L1980Q

And when the new hardware has been bought and received I'll do some reviews of that to. An complete review list will be up later on.

Some subjects for future posts will be about the ultimate technical home, where everybody is talking to each other and working together.

But enough whining from me, I've planned some posts about me dream digital home. All the things I want and need to create the perfect home for my family and I. A digital home isn't just to get the bragging rights (well a bit maybe) but also to have an easier everyday life.

These posts will be posted in the nearest future.

What this blog should do:

• Inform you on Internet security
• ... Computers
• ... Hardware
• ... Software
• ... Ballroom Dance
• and a lot of my dreams, everyday life and bragging.

For the first dot: I'm a security geek, that's it, now it's out in the open. I will try to have a finger on the pulse and I will post the exploits and errors I find. These exploits will be analysed and found a solution for.

For the 2nd, 3rd and 4th dot: I know computers is hardware and software mixed up. BUT, I will also get a perspektive on whole systems instead of just a piece of software or hardware.

For the 5th dot: Without thinking gay and wierdo let me explain. In my sparetime I'm a dancer with passion. I'm dancing on my ehhh... 11th yeah so this is no new thing for me. I'm not going to talk a lot about this but, it would be a good breakoff instead of computers and stuff 24/7.

and the last dot: This is like the 5th, a breakoff from all computers. I maybe give you a tour in my room or my home. This will give you an insigth of who I am. In this categoty I'll also be bragging about holidays and stuff. For a starter I can tell you that I'm going 1 week to Mallorca in my summer vacation.

Each of these dots will get a category for easy viewing what you like.

And now: why I'm starting this blogging thing. First off all I hope to get to learn a hole lot of people to know thogh all this. Second off all I hope my english will be better, I think it is okay now but it can allways be better!

Please give me some critic on everything; spelling, content, the site, impromements, you name it!