MySpace – an embarrassing lack of security
If you haven’t deleted your decade-plus old Myspace account yet, now may be the time to do it. As it turns out, it’s been embarrassingly easy for someone to break into and steal any account on the site. Security researcher Leigh-Anne Galloway posted details of the flaw on her blog after months of trying to get Myspace to fix it — and hearing nothing back from the company.
The flaw came from Myspace’s account recovery page, which was meant to let people regain access to an account they’ve lost the password to. The page asked for the account holder’s name, username, original email address, and birthday. But it turned out, you really only needed to know someone’s birthday in order to gain access to their account.
The account holder’s name and username are both publicly listed on their profile page. And Myspace’s account recovery form didn’t actually check to see if you entered the correct email address. The Verge tested the flaw on a newly created dummy account and was able to confirm this. That meant the only detail you actually had to know is the account holder’s birthday, and in a lot of cases, that isn’t exactly hard to find with a little bit of research.
As soon as you provided that info, Myspace logged you into the account, prompting you to set a new password and giving you the ability to change the account’s associated email address and birthdate, letting you steal that account for good.
Of course, at this point, it’s not like all that many people (anyone?) are still using Myspace. Many years after being crushed by Facebook, Myspace moved away from being a social network and pivoted into being a news aggregator and a series of profile pages for musicians. You’re supposed to be able to play music from those pages – some people have success with this and many others complain it doesn’t work. I tested it myself and found it works fine in Internet Explorer 11.
Time Inc. purchased Myspace last year, mostly just so it could get some associated ad technology.
Even though people aren’t using Myspace much anymore, its poor security practices still matter, since it’s not alone in being so lax about account protections. Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. If there is a possibility that you still have an account on Myspace, I recommend you delete your account immediately.