If you still have a Myspace account sitting at the back of your virtual Internet closet, it might be time to dust it off and consider deleting it: A security researcher says it’s ridiculously easy for anyone to hack into accounts using the site’s account recovery feature.
Leigh-Anne Galloway disclosed the vulnerability in a blog post on Monday, reporting that she was able to hack into accounts through MySpace’s account recovery mechanism: All an attacker needs is the user’s full name, username, and date of birth — all information which could be pretty easy to find online.
This may not be surprising to all the folks who have abandoned Myspace already, but it still matters, Galloway says.
“Myspace may no longer be relevant as a social media site, but its treatment of security is as relevant as ever,” she writes, adding that the service is “an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability.”
How It Works
Last year, hundreds of millions of Myspace passwords dating back to before June 2013 were set loose online, unleashing an avalanche of jokes about it not being 2006 anymore. At that time, Myspace said it had invalidated all user passwords for affected accounts on the old platform and would be beefing up security for passwords.
Fast forward to a few months ago, when Galloway discovered the vulnerability while trying to close her account. In this case, Galloway notes, you don’t need a password, just those three simple pieces of information.
Despite the fact that all the fields on the page — including city, ZIP code, and State — are marked as required pieces of information, she was able to complete the account recovery form. To her surprise, she was given full access to her account immediately — no waiting for a human to verify her identity, apparently. Consumerist tested the process as well, with the same result.
Myspace then sends users to a password reset page, which could allow hackers to hijack your account.
What Can You Do?
The good news? You can delete your account completely if you want to fend off attackers. The bad news is, you won’t be able to laugh and say, “Yeah, I still have a Myspace account — remember Myspace?”
Note: If you’re on mobile, you’ll have to request the desktop version of the site.
• In Safari, you can do this by pressing and holding the reset button.
• If you’re using Chrome, click on the button with three dots at the top right-hand and select “Request Desktop Site”:
Myspace Remains Quiet
Galloway says she emailed Myspace in April, documenting the vulnerability — and has received nothing more than an automated response.
“It seems Myspace wants us all to take security into our own hands,” she writes.
We’ve reached out to Myspace for comment and will update this post if we hear back.
by Mary Beth Quirk via Consumerist