Pillaged MySpace Photos Show Up in BitTorrent Download
More than half of the million images that are private photos of MySpace users was stolen and uploaded onto BitTorrent. This is a huge privacy breach to MySpace users. The hacker, “DMaul”, said that he learned the security hole from the WIRED and used the method of attack. This security hole was surfaced last fall and because of this, various adversaries such as possible pedophiles, voyeurs, and advertisements were able to steal these photos. DeMaul ended up seeding these photos and advertised them as “pictures taken exclusively from private profiles”. It turns out that his attack cycles through the accounts by MySpace Friend ID numbers, thus did not target any specific group of people. Although, the attack did not target any specific group, this is a significant breach that affected users who are under 16 because their accounts are automatically set of private and their adversaries are more dangerous. Even though the attack result in leaks of a huge amount of pictures, it seems that MySpace didn’t follow up with the issue properly.
After reading this article, it occurs to me how insecure online profiles are. For example, the article also mentions various security holes that MySpace previously had. As more social network websites are created for various purposes, more and more types of assets will be compromise. If LinkedIn have any security breach, then the assets aren’t simply just pictures anymore. Adversaries will be able to steal information about users that are much more valuable. I believe one way to prevent such problem is design the security aspect heavily during the same design phase of the application. If they include a security review of the design of the application, there will be less security vulnerabilities. The way MySpace handled this attack makes me a worry that social networks might not care about the most important assets to the social networks, which are the users information.
http://www.wired.com/politics/security/news/2008/01/myspace_torrent
Comment by Dustin Chang
January 27, 2008 @ 1:12 pm
I think myspace do care about user information, which being their most valuable asset. However, they only care about the availability and integrity of the information and not confidentiality. Like the example Pablo provided in his presentation, myspace took action as soon as they found out that the integrity of their user are being violated. The reason for the lack of protection for confidentiality might be the fact that they believe users’ don’t care about keeping their profile information private, after all they did put it online semi-publicly. Also, user might stop using myspace, if their profile crashes frequently or can be changed by someone else. However, they will not stop using myspace, just because someone other than their friend can access their information.
Comment by Justin McOmie
January 27, 2008 @ 9:00 pm
This type of news reminds me that it’s never a good idea to trust the confidentiality of my data online, unless I can have explicit reason to believe it is safe (such as with online banking, perhaps)
Even though this particular instance related to a problem in how MySpace handled “private” information, I think the larger issue is that we, as a culture, still need to find a happy medium between exposing too much of our lives online and being entirely withdrawn. I suspect many users of social networking sites are in for a rude awakening when they realize how much data they are giving up about themselves and how it can be used by people with ill intent.
When you put pictures of yourself on the internet, whether it be in an auto indexed directory, a social networking site, or any other way, you are risking those photos being seen by people who you might not wish see them.
Comment by zaxim
January 27, 2008 @ 9:59 pm
Regardless of whether users care or not, I think there is an ever bigger issue at hand.
This is “what do you do when you discover a security hole?” question which we talked about in class. According to the article, the exploit was common knowledge with youTube videos, forum posts, and other discussions about it. And even Wired itself published an article about it.
The hacker DMaul did “to prove that it could be done.” But it’s obvious, it really didn’t need proving, it had been done! But despite all this, MySpace didn’t do anything about it until recently.
Now, the question really is. Was all the publicity surrounding the security hole harmful? Or helpful? The exploit was very simple, I tried it myself and was able to use the same method to access photos of public users without having a MySpace account of my own (although not photos set to private).
Probably millions of people have tried this exploit, for whatever purpose, be they nefarious or not. That can’t be a good thing. I think that when the hole was restricted to a small group of people, the damage was minimized. But once it’s published in mainstream media and websites, it becomes extremely damaging.
Sure MySpace eventually did something about it, possibly due to the massive attention, but who knows, they might have been working on a fix even before it became common knowledge.
Comment by Funny MySpace Comments
February 16, 2008 @ 2:28 pm
I laugh everytime I see one of these blog posts.. I can’t believe how myspace could let something like this to happen. Hope nobody kept nude “private” pictures on myspace… lol.
Comment by Lloyd Delacroix
January 13, 2009 @ 4:16 am
i Think my space didnt care much with their client, But it’s obvious, it had a big community,and i think it need improving with its services, im talking about piracy content and bandwith leech by its member. MySpace didn’t do anything about it.