Myspace Security Flaw Allows For Easy Account Takeover (Yes, Myspace)

How many people know your birthday? Well, according to a security researcher, a security flaw offers all those people easy access to your Myspace account. That's not as big a deal now as it would've been when Myspace reigned supreme, but it could still put your personal information at risk.

Positive Technologies security expert Leigh-Anne Galloway discovered the flaw in April. Galloway said in a blog post that she contacted Myspace about the vulnerability, but the company only responded with an automated message confirming that they received the report. Now, a little less than three months later, the flaw still lets anyone who knows your full name, Myspace username, and date of birth to gain access to your account.

The flaw was found in Myspace's account recovery tool. (You know, just in case you want to see what's happening on Myspace these days... or delete your account.) Myspace asks you to submit information about yourself to prove that you are an account's rightful owner. That information includes your full name, username, current email address, date of birth, and the location information associated with the account.

Galloway said that Myspace checks only three of these fields--full name, username, and date of birth--against the information it has about your account. Two of those (full name and username) can be gleaned from a quick web search. The birthday is a little harder to get, but it still wouldn't be all that hard to figure out, especially if you don't hide your profile and personal information on Facebook and other social media platforms.

Again, this isn't as problematic as it would've been at the peak of Myspace's popularity. But gaining access to a Myspace account could still reveal your personal information, especially if you regularly used the service's messaging features. Even if you didn't, Myspace's response to this flaw highlights the lackadaisical attitude some companies take to security, even when researchers provide all the info they need. Galloway explained:

Perhaps this situation is not surprising as most of us no longer use Myspace. So why does this matter? Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. Whilst Myspace is no longer the number one social media site, they have a duty of care to users past and present.

This isn't the first time Myspace's security has failed. Information about an estimated 427 million Myspace users was reportedly leaked in 2016, making it one of the biggest data breaches in history. (The original report stems from LeakedSource, which was shut down in January, but Sophos has a writeup on its blog.) Myspace has not responded to a request for comment, but we'll update this post if we hear back.

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment