A security researcher revealed that in order to gain back access to a Myspace account, users only need to fill out their username, full name, and date of birth on the form for account recovery, according to a blog post on the researcher’s blog.
Leigh-Anne Galloway, the Cyber Security Resilience Lead at Positive Technologies, revealed the security flaw when trying to gain back access to her own personal Myspace account to delete it. Galloway created the blog post as a response to Myspace, who only sent her an automated message that they are looking into it when she emailed them about the security flaw.
“Flash forward to the year 2016,” said Galloway when discussing the brief popularity of Myspace. “It emerged that Myspace had (historically none the less) suffered one of the largest breaches in history. The details of 360 million Myspace user accounts were made available online.”
Myspace responded that they will be creating more security measures so that people won’t be able to hack into any Myspace account again. Unfortunately, it looks like very little changes were made to how people can gain back access to their Myspace account.
“The trouble with theory is that it often works quite differently in practice. So differently in this case that you don’t actually need a password. You can access any, yes, any Myspace account with only three pieces of information,” said Galloway.
These “three pieces of information” are the users full name, username and birthday. Other information, like email addresses, city, state, zip code and musician genre are not required to access a Myspace account (Honestly, who release their city, state, and zip code publically on a social media account? The past must’ve been a lot different). To test out this theory, Galloway entered in a fake email address to see if she can gain access to the account, which it did.
But, on the account recovery page, Myspace indicates that both your current email address and email address used for the account is required to gain back access. Galloway discovered that this isn’t true, which is why she reached out to Myspace in the first place.
“Perhaps this situation is not surprising as most of us no longer use Myspace. So why does this matter? Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. Whilst Myspace is no longer the number one social media site, they have a duty of care to users past and present,” said Galloway in her conclusion on the situation.
After Myspace changed the interface of the website, they pretty much deleted any information left on people’s older accounts according to Gizmodo. So, even though people may not have to specifically worry about getting a lot of information hacked into, they should still take the necessary steps to delete their account before another security breach happens.
Galloway works with companies to create security methods that protect information so that they don’t need to deal with breaches in security, and by making her issues with security on Myspace public, it’s obvious that Myspace has to do something before they lose a lot of users (to be fair, there doesn’t seem to be much; Myspace has 50 million monthly active users while Facebook has 864 million active monthly users in 2015 according to the Huffington Post).
Myspace has yet to response to these security issues from Galloway. I’m interested to see what their response will be, since their Twitter account has been actively posting since the blog post was published.
