MySpace Bug Leaks Private Teen Photos
Despite assurances from MySpace that photos in private profiles can only be seen by people on a user’s friends list, its web architecture has failed to enforce this. Info about a backdoor has been disclosed and made publicly available on message boards for months.
Users under 16 have their profile set to private by default, and according to MySpace, “Only the people you select will be able to view your full profile and photos”. When an unauthorized user tries to click on a photo link of a private profile, the following error message is given: “This profile is set to private. This user must add you as a friend to see his/her profile.” But anyone with some basic skills can plug the target’s public account number, called a “Friend ID,” into a specially crafted URL GET request, resulting in a bypass of this security measure and granting access to those photos… In other words, the link is not available, but it can be build based on trivial data.
Several forums online have started to post a number of MySpace photo links for underage girls. None of the posts appears to have involved with child pornography or other illegal conduct, however this is against the privacy of such private profiles.
More in CNET: http://blogs.cnet.com/8301-13507_1-9858905-18.html