By Elton Gomes. For people of a certain age, owning a Myspace account was an essential rite of passage. Countless teenage years were spent carefully customizing the CSS on profiles, ranking friends into top eight lists, and picking out the most perfectly angsty pop-punk track to auto-play. Ten years later, Myspace is a relic of the past.
Myspace, perhaps conscious of the fact that many people have since lost access to the email accounts associated with their profiles, offers a tool that lets you recover them. You simply have to verify your identity by providing a few pieces of information. Unfortunately, according to information shared exclusively with TNW by security researcher Leigh-Anne Galloway, this process is deeply flawed, and makes it trivially easy for a bad actor to gain unauthorized access to any account.
This is an automated process. So, what do you need to get into the account? It turns out, not much. It validates just three pieces of information: name, username, and date of birth. Names are found on the profile itself, and you can discern the username from the URL so, for myspace. The only tricky part is the date-of-birth, although you can figure that by sleuthing on other social networking sites. Once you have obtained those three pieces of information, you can essentially break into any Myspace account.
As of October , Consumerist is no longer producing new content, but feel free to browse through our archives. Here you can find 12 years worth of articles on everything from how to avoid dodgy scams to writing an effective complaint letter.
Check out some of our greatest hits below, explore the categories listed on the left-hand side of the page, or head to CR. This may not be surprising to all the folks who have abandoned Myspace already, but it still matters, Galloway says.
Last year, hundreds of millions of Myspace passwords dating back to before June were set loose online, unleashing an avalanche of jokes about it not being anymore. At that time, Myspace said it had invalidated all user passwords for affected accounts on the old platform and would be beefing up security for passwords.
Fast forward to a few months ago, when Galloway discovered the vulnerability while trying to close her account. All a wannabe hacker needs is the target's full name, username, and date of birth. Security researcher Leigh-Anne Galloway disclosed the vulnerability on Monday. She says she informed Myspace about the vulnerability almost three months ago and the site hasn't acknowledged or fixed it. Myspace did not respond to a request for comment.
Obviously, we're not in anymore, and very few people still use or care about their Myspace accounts. But Myspace, which last year had to admit that it lost the passwords of more than million users , should still take care of its users' security, according to Galloway. Myspace is an enormous graveyard of personal data.
If you have an end of life application or website, you have to have a plan," Galloway, a researcher at Positive Technologies, a security firm, told Motherboard in a Twitter chat. Galloway said that when she found out about the flaw she was "horrified" and "shocked" by "the complete lack of due diligence" on Myspace's part.
0コメント