Naked Security Naked Security

Myspace bug left old accounts vulnerable to attack

Myspace is still there, and so's your old account

Think about your social media activity from a decade ago. Do you remember having a Myspace account? Even though Myspace hasn’t been popular for years, Time purchased it in 2016, and the site still gets about 50 million hits per month. If you have an old Myspace account that you haven’t cancelled, Leigh-Anne Galloway discovered a vulnerability that you must know about.

You may have heard the news last year of a major Myspace data breach that affected 360 million accounts. Myspace’s incident response was mainly to invalidate all passwords for accounts created before June 11th, 2013. Sounds good, right?

Well, when Galloway tried to delete her Myspace account this April, she discovered that it was possible to acquire access to her account without a password. All she needed to input into Myspace’s password recovery form was her full name, username, and date of birth. The form asks for an email address, but it worked when she used an email address that wasn’t registered under her account. Most web services’ password recovery systems require you to at least have access to the email address that has been registered with an account!

There was a time when tens of millions of people, including well known popstars, had active Myspace accounts. It’d be a piece of cake for me to find the full names, usernames and birth dates associated with any of them. It probably wouldn’t even be difficult for me to acquire access to a Myspace account belonging to someone who isn’t famous. I could simply cross reference their public Facebook data. I don’t use my old Facebook account, but you can easily find my full name and birth date on Twitter.

When Galloway sent a detailed email to Myspace support about the vulnerability, she got a very generic form email response.

This is an automated response to let you know we’ve received your message. Someone on our team is reviewing your question and will get back to you soon.

That was the message she received in April. As of her July 17th blog, she has yet to receive any further response. On July 17th, The Verge also reported the vulnerability Galloway discovered. They got a response from Myspace saying, “(we’ve) enhanced our process by adding an additional verification step to avoid improper access.” The previous password recovery page has been pulled, and that’s all that can be determined.

If you have accounts you no longer use, on any system, close them. For as long as you keep those accounts hanging around they could be used against you. Even if the systems, sites and platforms are safe and secure now there’s no guarantee that they’ll be kept that way in future and if you don’t need it, why take the risk?