February 4th, 2002, 02:46 PM
Security hole in Morpheus
'Dangerous' hole discovered in Morpheus
MP3 fans using the Morpheus file-swapping service risk having their personal details exposed online, according to security experts.
Morpheus in now the most popular file-swapping service on the Internet. The security hole means that the personal details of millions of people are now at risk of exposure. According to the Web site of MusicCity--the company that created Morpheus--more than nine million copies of the client have been downloaded.
MusicCity Networks could not be contacted for comment.
A new security hole has been discovered in the peer-to-peer file-sharing application, which allows a random list to be generated of people using the service. A malicious hacker could then access the computers of those users and copy files from anywhere on their hard disk. Usually, Morpheus only allows access to files placed in a specific folder, like other peer to peer file-sharing clients.
The privacy risk was reported to BBC News Online by a group of security experts, who are choosing to remain anonymous. They have described the exploit as "very dangerous", and have warned that this could make every Morpheus user's computer available to anyone who wants to access it.
The Morpheus peer-to-peer application allows users to search for digital media, such as music and videos, on the MusicCity network. The service also allows content providers to deploy third-party digital rights management technology to protect their copyright works. This protects the copyrights of artists involved, and has helped it to prevent a Napster-style shutdown.
An Ounce of Prevention is Worth a Pound of Cure...
February 4th, 2002, 03:04 PM
do you know how this is done? i have morpheus. i would like to protect my computer from this.
February 4th, 2002, 03:05 PM
First off.. Turn off File-Sharing.
Second. Morpheus shouldent ''show the user'' on the search list cause if you just follow a lil click on the user then you can easily trace and monitor the package.
So Morpheus. - take out the show user feature.
February 4th, 2002, 04:05 PM
I saw this article and freaked. Everyone I know, including myself uses Morpheus, so I was pretty surprised to read that there is such a serious hole in the program. That really sucks.
I think I will be writing MusicCity and ask what they plan on doing about this. A patch would really be appreciated.
An Ounce of Prevention is Worth a Pound of Cure...
February 4th, 2002, 06:16 PM
Ive searched high and low for more info on this warning but theirs nothing there. general concensus seems to be that this is a rumor started by the record industry to stem file sharing.
they might be right.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
February 4th, 2002, 06:38 PM
Is this the Hole?
I am not sure if this is the hole that has been reported. I have known about this for quite some time. But i'll paste it anyway, i'm sure someone will tell me if it is old news or not
Hello, I wrote this text file just because I felt like typing and because a lot of people use morpheus and don't know they can be "hacked". Morpheus and Kazaa are a big comunity just like Napster and some other. This file explains a hole found by me (just_a_dude) which later on I discovered someone else had found it already
but I felt like writting a text file about
it so here it goes. I'll be referring to Morpheus/Kazza as M/K.
February 4th, 2002, 07:00 PM
I'm not sure how available files in non-shared directories are. I will experiment with this when I am off the corporate network. It seems that if I do netstat -a and get a list of systems I am connecting to I can then either do ftp <IP> and attempt a logon or net use <ip> or map network drive <ip> with the second 2 choices I will only see files in shared folders. It is a security hole but a simple enough patch is disable sharing in drives/directories you don't want outsiders to see (I think by default 2000/nt c drive is shared -thank you m$).
February 4th, 2002, 07:49 PM
Morpheus file sharing is just like when I was a kid. I got a new walkman for my b-day and
when I borrowed my friends cassette to listen to it got tangled up, ate the cassette and
broke my walkman. maybe the metallica scrooge was right, u SHOULD buy c.d.'s. and software
Just to be safe (not that anyone ever wil again) N.
February 4th, 2002, 09:22 PM
yes, c is shared by default. its under the name c$. you need admin access to get into it. if it werent there and you had admin access you could easily enough create it. for once, i dont think there is anything wrong with what microsuck did.
Originally posted by dspeidel
(I think by default 2000/nt c drive is shared -thank you m$)
There are 10 types of people in this world: those who understand binary, and those who dont.
February 4th, 2002, 09:29 PM
this way(i wouldn't call it exlpoiting morpheus) gives you via a web browser a list of everything that person has on morpheus, which is a feature they have anyway. what you do is make a connection with somebody(download/upload) and in DOS run netstat -n command to get their ip. then in your browser just connect to their ip on port 1214."http://x.x.x.x.:1214" the x's being the ip.
how this relates to the leeching of someones c:/ drive, i dont know.
i guess someone beat me to it.
I am not sure if this is the hole that has been reported. I have known...