Via theregister.co.uk -
When it comes to protecting digital content holders from the hordes of naughty file grabbers, you'll be hard pressed to find a more zealous partner than Apple. So we were surprised to learn that Apple's Safari browser makes it easy to download MP3 files hosted on MySpace that are supposed to be limited to streaming only.
MySpace programmers have taken pains to obfuscate the location of the MP3 file music artists embed into their MySpace profiles. Until now, pirates had to use programs like Ethereal or Burp to divine where a tune was stored. But thanks to a Safari feature called the Activity Window, that cumbersome process is no longer necessary.
We read Dave Shanley's writeup of the technique and were able to replicate the process, although with a few minor modifications.
The Firefox add-on "Live HTTP Headers" does the same thing. Web browsers are terrible at keeping secrets.
ReplyDeleteGET /65/std_5346f38030efe80246b6c2e4391bbccb.mp3?bandid=163965321&songid=72877592&token=1188283276_832a1d48c011c67f9e2668b3b86282a8&p=aHR0cDovL2NhY2hlMDktbXVzaWMwMi5teXNwYWNlY2RuLmNvbS82NS9zdGRfNTM0NmYzODAzMGVmZTgwMjQ2YjZjMmU0MzkxYmJjY2IubXAz&a=0 HTTP/1.1
Host: cache09-music02.myspacecdn.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
HTTP/1.x 200 Ok
Accept-Ranges: bytes
Cache-Control: no-store
Connection: keep-alive
Content-Length:1129744
Content-Type: audio/mpeg
Date: Tue, 28 Aug 2007 06:40:15 GMT
Server: sledgehammer/1.2.3
Yep and all the other common free pen-test proxies will work as well - Paros Proxy, Burp Proxy, WebScarab, etc.
ReplyDelete