Home » FORUMS » Social Networking » Myspace (General)

MyToken



dreamskinner
dreamskinner's picture
Soon I will be a Trusted Member.. But not yetLooked at and admired by many!
GuGee Since: 2007-02-24
GuG-Points: 8
Last Seen: 04/11/2008 - 8:14pm
Submitted by dreamskinner on February 24, 2007 - 7:49pm.

Not sure if all notice, but when accessing profiles, many times those that are not on your friends list a "MyToke=XXXXXXXXXXXXXXXXXXXXXXX" appears after the friend ID. This is used to see whether a person could access a profile or not. My belief is that this token is based off of your user ID in what seems to be a hexidecimal coding, that seems to have a bitrate shift, so as the same code cannot exist in second or longer.
If someone out there has the time, experience and up to the challenge to help crack the code, I would love help out.

DS

‹ MySpace user ad targeting will be optional Teenager nabs mugger via MySpace ›


 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Niebr
I'm Trusted Premium Member!Job Well Done!!Someone ELSE paid $1 to put this badge on me!
GuGee Since: 22-Apr-2008
GuG-Points: 453
Last Seen: 08/24/2008 - 9:43pm
Location: Pittsburgh, Pa

I am: The boy your mother warned you about

Re: MyToken
April 29, 2008 - 5:39pm

has anyone ever thought that maybe it is like a MYSQL database ?
the mytoken is your username,
your ip address is your password,
thats my 2 cents,
hey i got an idea, if hubby allows it,
for just one day, any one who has a myspace account,
catch the mytoken of every page you visit, and paste it into notepad, then, when your done, send them to me, go to my pro for my myspace, i want to see if these might be MD5 hashes, or maybe some type of ascii or hexideciamal code, it will give me something to ponder over when im not working on my school work,

The only stupid question is the one that remains unasked
~Niebr~

--


 

1360
GuGee Since: 18-Mar-2008
GuG-Points: 9
Last Seen: 05/14/2008 - 12:51pm
Location: on my couch

I am: Not really paying attention

Re: MyToken
March 18, 2008 - 10:52pm

I just wanted to point out the similarity of md5 sums and this token. I built a tracker in php to log my friends hits on myspace for some reason I decided to lay cookies of random numbers that were md5'ed as unique id's. After studying the hits on my tracker I noticed that if I hyphenated the md5s they were the exact length with similar characteristics.

random md5:
c8e26959-c2b2-7e12-ba43-2a560c611f7e

myToken:
e2fecd29-6d05-4452-a761-8f8596cec3eb

If this is an md5 there is probably no way to decode it as it is a non-decipherable hash. The only way to decipher is to have the value md5 it and check if they match, kind of like a brute force of dictionary attack.



 

highheel
Soon I will be a Trusted Member.. But not yetI'm a Premium Member
GuGee Since: 13-Dec-2006
GuG-Points: 29
Last Seen: 07/31/2008 - 8:24pm
Re: MyToken
February 3, 2008 - 2:22pm

I just tested something, and I was looking around. I noticed this and thought it may somehow be useful. When I came from messaging to my home at myspace, I got a normal mytoken code in the address bar. However, when I came from Safe Edit mode to my home I got a very different one. How is it in Firefox, my tokens always seem to be the same, but not in ie? Anyone else find this interesting?



 

spfunc
I'm Trusted Premium Member!
GuGee Since: 21-Mar-2007
GuG-Points: 11
Last Seen: 09/05/2008 - 7:40pm
Location: cali<3

I am: Chewing ice

Re: MyToken
March 21, 2007 - 9:26pm

well I'm pretty new to this whole thing, but based upon how other sites work this is my hypothesis:

 

your myToken is randomly generated prior to attempting to access a page or area that requires certain priviliges to be granted to you. each token is unique, and quite possibly time-dependent, and may refer back to a myspace database to double check additional info like IP addresses and login cookies, before it grants the appropriate token holder access to something.

 

ie: Jane's profile is private, but Tom is on her friends list. Tom clicks on Jane's profile and a token unique to Tom is randomly generated and stored somewhere deep within myspace. Myspace then begins to take Tom to Jane's page, but uses his unique token as a method of verifying that the visitor to Jane's profile is indeed Tom.

 

If I didn't think the tokens were referenced to some database I would believe that there was some possibility of hi-jacking other people's tokens and using them to gain access to stuff your locked out of. But I'm pretty sure it's referenced, not to mention each token is completely random, and if one were to refresh their page and then click on a token-dependent link again I'd wager that the first token would be rendered invalid and a completely new one would be generated.

 

But that's just a noob's 2 cents. :p 



 

coshed
GuGee Since: 09-Mar-2007
GuG-Points: 2
Last Seen: 03/11/2007 - 9:04pm
Location: Mars
Re: MyToken
March 9, 2007 - 1:19am

from that wiki page

Quote:
The OSF-specified algorithm used by Microsoft for generating new GUIDs has been widely criticized. In these (V1) GUIDs, the user's network card MAC address was used as a base for the last group of GUID digits, which meant, for example, that a document could be tracked back to the computer that created it. This privacy hole was used when locating the creator of the Melissa worm.

V1 GUIDs which contain a MAC address can be identified by the digit "1" in the first position of the third group of digits, for example {2f1e4fc0-81fd-11da-9156-00036a0f876a}. GUIDs using the later algorithm, which has a random suffix, have a "4" in the same position, for example {38a52be4-9352-453e-af97-5c3b448652f0}

this would mean that the guid used by myspace is indeed random

Coshed



 

coshed
GuGee Since: 09-Mar-2007
GuG-Points: 2
Last Seen: 03/11/2007 - 9:04pm
Location: Mars
Re: MyToken
March 9, 2007 - 12:58am

the mytoken is formated exactly the same as a guid or "Globally Unique Identifier"
look in your registry (windows) and you will see hundreds if not thousands

The are even so famous they get their own wiki page Smiling
http://en.wikipedia.org/wiki/Globally_Unique_Identifier

If perhaps you explored how these are generated you may come up with an algorithm to reverse engineer them but it would depend on what they used to seed the generator in the first place

On a pc they are usually seeded by the id of one of the network cards (if one exists) these id's are guid's themselves

If the generator is seeded by say a combination of the users id and the time you may find a hack, but I doubt it, I personaly dont have half a lifetime spare to come up with the answer, considering I have already wasted the first half of my lifetime.

more likely they are just random and stored in a database as a single use item. thus once used or a timeout occurs they are thrown away.

well thats how I'd do it anyway

virtually unhackable

Coshed



 

MofoBaby
Soon I will be a Trusted Member.. But not yetI'm a Premium Member
GuGee Since: 27-Feb-2007
GuG-Points: 46
Last Seen: 08/29/2008 - 7:26pm
Location: THE OC

I am: Luvin TheGuG

Re: MyToken
March 7, 2007 - 8:20pm

Well I am not sure if this is a start of something or not but I checked a friends profile on my cell phone and noticed while the page is being downloaded in the URL this is what read (Delb2.myspace/html.ngl=myspace&positionleaderboard2&page=

11013005&rand=13103742428&friendid=xxxxx&act=1&schoolpage=0)

I wonder if tweaked it would open up private profiles. I am new so if this is something that someone already tried then just ignor.

 



 

hackmasterkyle
I'm Trusted Premium Member!
GuGee Since: 07-Mar-2007
GuG-Points: 22
Last Seen: 07/23/2008 - 10:06pm
Location: USA
Re: MyToken
March 7, 2007 - 7:23pm

If you go here this might be of some help.

http://developers.sun.com/prodtech/appserver/reference/techart/keymgmt.html



 

hackmasterkyle
I'm Trusted Premium Member!
GuGee Since: 07-Mar-2007
GuG-Points: 22
Last Seen: 07/23/2008 - 10:06pm
Location: USA
Re: MyToken
March 7, 2007 - 6:29pm

Well I don't know if this is any use or not. I was looking to see in my token if any of the numbers reoccur and I noticed in the 3rd set of characters there was always a 4 always at the beginning of that set of characters. As seen below.

64b0a26b-8cad-4789-a31a-755260f2925f
c4305266-f573-4453-8dd0-3e2e89df637f
55bfc838-a5d0-4ae4-bb81-6e04f95fb4a5
7834f436-1fe4-4eff-8f96-81041c1ed791
3476ec1b-3ac4-487c-9b52-8c1c2176cffb
72624323-4ace-450e-beb6-0ceee0f37b55
65a8b99a-e298-4ec2-a6dc-08975a725af1
453d8c66-6c54-4149-b9ff-802e48622d5f
1317fbe5-32ed-473d-be97-13fa2e7d17ac
bd1d3be5-7aea-4988-88b4-1ae7355a0ed7
e197af92-e126-466e-bc5b-aaf3fc94e0f7
79c0fb93-68d0-429d-8286-f9ab31a288c9
ac7db302-86a6-43cd-a377-7ae9651a3e42



 

_blue_moon_
I'm Trusted Premium Member!I'm a Premium MemberLooked at and admired by many!
GuGee Since: 17-Nov-2006
GuG-Points: 111
Last Seen: 10/16/2007 - 2:17am
Re: MyToken
March 9, 2007 - 1:32am

it also looks like that same group of letters are used a, b, c, d, e, f

--


 

Steelonion
GuGee Since: 21-Mar-2007
GuG-Points: 7
Last Seen: 09/11/2007 - 10:07am
Location: Ireland
Re: MyToken
April 3, 2007 - 7:39am

Letters A-F represent numbers in hexadecimel (10-15).



 

preciouskeoni
Soon I will be a Trusted Member.. But not yet
GuGee Since: 19-Feb-2007
GuG-Points: 24
Last Seen: 05/22/2007 - 5:02pm
Re: MyToken
March 8, 2007 - 6:08pm

you have something here. the same thing happens to me. not sure what anyone can do with it though...



 

Isaac
I'm Trusted Premium Member!Awesome Member!V.I.P. Member !!Certifed Apple loverLooked at and admired by many!Someone ELSE paid $1 to put this badge on me!
GuGee Since: 18-Sep-2006
GuG-Points: 402
Last Seen: 06/27/2008 - 7:20pm
Location: Salt Lake City, Utah

I am: Not really paying attention

Re: MyToken
February 27, 2007 - 2:03am

alright, I went to go look at my fifteen year old friends myspace page; there was no token in the url; I clicked on one her friends randomly figuring a good number of them would have private profiles. I clicked on a 16 year old, but her profile was private anyway, and there was still no token. Then I went and looked at my 25 year old friends profile, and I got a token. And her profile isn't private. But anyway, I have "referrer logging" disabled in my browser so it's not that; and it's plainly not the url that's being used. My guess would be the cookies. There's quite a few cookies that myspace sends you and you should probably be looking at those if you want to crack it. Now, there might be some IP tracking, but because I usally use a distributed mix-net, it might be present but it's not intergal.



 

Ashton
I'm Trusted Premium Member!I donated to The GuG !Awesome Member!Looked at and admired by many!Mystery BadgeSomeone ELSE paid $1 to put this badge on me!Certified Member Helper
GuGee Since: 20-Nov-2006
GuG-Points: 1094
Last Seen: 09/06/2008 - 12:27pm
Location: Deserts of Arizona

I am: Voting for Obama

Re: MyToken
February 27, 2007 - 2:32am

I agree, it's the cookies.

I think I found some interesting stuff in Google with the keywords

Myspace+Security+Token

I think I once heard they use SIM tokens - which is generally for cell phones - so that might be another good keyword.

You cannot perceive beauty but with a serene mind. -Henry David Thoreau



 

dannybat
Soon I will be a Trusted Member.. But not yetI'm a Premium Member
GuGee Since: 05-Jan-2007
GuG-Points: 13
Last Seen: 04/23/2008 - 8:57pm
Re: MyToken
February 27, 2007 - 12:57am

It's a basic part of the login session / cookie data Myspace sets.



 

yarrpirate
GuGee Since: 21-Feb-2007
GuG-Points: 5
Last Seen: 03/10/2007 - 3:12am
Re: MyToken
February 25, 2007 - 1:28am

man, i would so help as well. but these things are randomly generated with each new page, right? and there are other randomly generated things in the source code as well, eg closer to the bottom around the onlinenow code there's another, unrelated, refreshed-with-each-click 16~ character code. annnnnnnnnnnnnnnd if you're logged in, it knows who you are, and if you're not logged in, you can't view private profiles anyway.

i'd love to see the code for the user object.



 

LadyCerridwen48
I'm Trusted Premium Member!Awesome Member!Looked at and admired by many!Mystery BadgeSomeone ELSE paid $1 to put this badge on me!Certified Member Helper
GuGee Since: 06-Feb-2007
GuG-Points: 1934
Last Seen: 09/06/2008 - 5:54pm
Location: Currently NJ, heading towards Western NY

I am: Supporting our troops

Re: MyToken
February 24, 2007 - 7:57pm

...which theoretically means...if you can replace your "token" with that of someone on the private profile's friend's list...hmmmm...let me experiment some...

--


 

dreamskinner
Soon I will be a Trusted Member.. But not yetLooked at and admired by many!
GuGee Since: 24-Feb-2007
GuG-Points: 8
Last Seen: 04/11/2008 - 8:14pm
Re: MyToken
February 25, 2007 - 2:49am

I'm now experimenting to see if it takes the FriendID of a logged on Person, turns it into ASCII and uses some sort of equation, based off the current time, in seconds, and alters the n-based decimal outcome...I've disovered that it is not hexidecimal, but it could be a multidecimal out put, possibly 16-base or bigger with a logarithm that alters the source coding. (When looking at your profile, hitting refresh will change the MyToken almost everytime) My "MyToken" seems to always be 8character-4character-4character-4character-13characters....which I have discovered the meaning yet...
Good luck on solving this mystery Smiling this looks like fun!
DS