Social networking pioneer Myspace is in the news today following the discovery of an embarrassing security vulnerability that makes it incredibly easy to take control of someone’s account.
Security researcher Leigh-Anne Galloway stumbled across her old Myspace account back in April. While attempting to log in to delete the account, she realized that it was possible for anyone to gain access to any Myspace account using the site’s flawed account recovery process.
According to Galloway, all one needs to know to gain access to an account is the target user’s name, username and date of birth – most all of which can be found with relative ease online (users' names and usernames are displayed on their Myspace profiles, for example).
I tried recreating the vulnerability using a dummy account but it appears as though Myspace may have just modified their recovery process. The “Do Not Have Access To Old Email Address” page I accessed looked different than the one shown on Galloway’s blog and I was not granted immediate access to the test account. Other sites tested the flaw and were able to confirm Galloway’s claims although that was earlier in the day. As such, your results may vary.
Galloway reached out to Myspace with information regarding the vulnerability in April but received nothing more than an automated response, hence the public disclosure.
In the event that you once had an account, it’d probably be wise to go back and delete it (assuming of course that you can remember the details to get back in). Very few people use the site these days but still, there’s no reason why it should be this easy to hijack an account.