Tales from the Net

a work in progress

Tuesday, January 22, 2008

MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos

From security researcher/journalist Kevin Poulsen at Wired’s Threat Level:

The bug had been around since at least October (Thanks to Rose for tipping me off), during which time it had been gleefully exploited by voyeurs, hackers, entrepreneurs and lechers; you can find pages and pages of public message board comments around the web in which posters are peeking in on 14 and 15-year-old girls and sharing what they find.

Ad-supported web sites with names like Can’t Hide and MySpacePrivateProfile.com emerged to earn a buck off the glitch. One such site reports that its users have accessed, or attempted to access, 77,000 private profiles — 3,000 of them today.

The day after he reported it to MySpace, they fixed it. Good for them. And the websites that exploited the vulnerability aren’t delivering private photos any more. Hold on, though: why hadn’t they fixed it earlier? Kevin ends with

That seems to leave just two possibilities:

  1. MySpace didn’t know this was going on before.
  2. MySpace knew about it, but didn’t take action until the press noticed.

I’ll have more next week.

We shall see …

Claims by MySpace, Facebook, or any other online service that they protect people’s personal information only hold water if they pay a lot of attention to security when they’re building their software and running their site. One of the objections to the potential email list in the MySpace “child safety” agreement with state attorneys general was that the list would be valuable to spammers and scammers as well as child predators. Situations like this, or the recent compromise of thousands of accounts on adult web sites where the company similarly didn’t react for months, show how real this issue is.

posted by Jon at 4:48 pm  


  1. […] concerns have articulated here: Facebook’s repeated breaches of trust and closed environment, MySpace’s chronic problems with security, the panoptic and advertising-focused aspects of both, the cost of tweets via SMS on Twitter, the […]

    Pingback by Tales from the Net » The Economist’s debate: why I’m voting ‘pro’ — January 24, 2008 @ 10:11 pm

  2. Kevin’s followup story describes how somebody downloaded pictures from 44,000 profiles and released them on BitTorrent by exploiting this bug. It’s not clear what percentage of the 500,000+ pictures were intended to be private, but still …

    In the Slashdot discussion, TheNinjaRoach pointed out that if you have the URL to a picture, you can view it even if it’s supposed to be private. It’s not obvious how to exploit it, but there may still be an unblocked path to mass downloads of private pics.

    The article also notes

    MySpace plugged a similar security hole in August 2006 when it made the front page of Digg, four months after it surfaced.

    Comment by Jon — January 27, 2008 @ 7:48 am

  3. My comments from the article:

    Kevin, did you see the comment in the Slashdot thread about how if you’ve got the direct URL to a pic, there’s no security check?

    I totally agree with Parry Aftab’s point. Any responsible company does security testing, and many hire outside penetration testers as well. If MySpace isn’t doing this, then shame on them. And with the glaring nature of these bugs, if they are doing it, they’re not doing it particularly well.

    Is this story really that big of a deal?

    Yes. It shows that MySpace did not have any mechanisms in place to detect or prevent an automated exploit of this vulnerability.

    And in terms of the broader story, especially in the climate where privacy is becoming a mainstream political issue (witness MoveOn.org weighing in on Facebook’s Beacon fiasco), and MySpace’s recent agreement with the state Attorneys General, this may well lead to calls for mandatory reporting of breaches that result in leaks of personal information.

    In fact, now that I think of it, if the Texas AG wanted to really make some political capital from his holdout position, he’d lead the charge.

    Comment by Jon — January 27, 2008 @ 8:08 am

  4. […] Over on Tales from the Net, I’ve been discussing Kevin Poulsen’s articles about a MySpace security bug that allowed access to photos in profiles that had been marked as “private”.   It had been well known for months, but MySpace didn’t fix it until the day after Kevin’s first article.  In the interim, somebody wrote an automated script to download photos, and released 500,000 of them on the BitTorrent p2p network. […]

    Pingback by Liminal states » Archive » How’d it get through QA — and why didn’t they fix it? — January 31, 2008 @ 7:19 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress