clock menu more-arrow no yes

Filed under:

Myspace let you hijack any account just by knowing the person’s birthday

New, 16 comments

But also, please don’t because it’s almost definitely illegal

MySpace account recovery

If you haven’t deleted your decade-plus old Myspace account yet, now may be the time to do it. As it turns out, it’s been embarrassingly easy for someone to break into and steal any account on the site.

Security researcher Leigh-Anne Galloway posted details of the flaw on her blog this morning after months of trying to get Myspace to fix it — and hearing nothing back from the company. Only today, after the issue became widely publicized, did Myspace finally remove the flaw.

The flaw came from Myspace’s now-defunct account recovery page, which was meant to let people regain access to an account they’ve lost the password to. The page asked for the account holder’s name, username, original email address, and birthday. But it turned out, you really only needed to know someone’s birthday in order to gain access to their account.

The account holder’s name and username are both publicly listed on their profile page. And Myspace’s account recovery form didn’t actually check to see if you entered the correct email address. The Verge tested the flaw on a newly created dummy account and was able to confirm this. That meant the only detail you actually had to know is the account holder’s birthday, and in a lot of cases, that isn’t exactly hard to find with a bit of research.

As soon as you supplied that info, Myspace logged you into the account, prompting you to set a new password and giving you the ability to change the account’s associated email address and birthdate, letting you steal it for good.

Galloway says she contacted Myspace about the flaw in April and has yet to hear back. “It seems Myspace wants us all to take security into our own hands,” she writes. “If there is a possibility that you still have account on Myspace, I recommend you delete your account immediately.”

In a response to The Verge later in the day, a spokesperson for Viant, Myspace’s parent company, said that Myspace has “enhanced our process by adding an additional verification step to avoid improper access,” though it’s not entirely clear what that step is because the previous account recovery page has been pulled. “We take data security very seriously at Myspace,” the spokesperson said. “We plan to continue to refine and improve this process over time.”

Of course, at this point, it’s not like all that many people (any people?) are still using Myspace. Far too many years after being crushed by Facebook, Myspace moved away from being a social network and pivoted into being a news aggregator and a series of profile pages for musicians. You’re supposed to be able to play music from those pages, but it wouldn’t work in my browser. It’s not clear why anyone would visit this website. Time Inc. purchased Myspace last year, mostly just so it could get some associated ad tech.

Even though people aren’t using Myspace much anymore, Galloway says its poor security practices still matter, since it’s not alone in being so lax about account protections. “Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability,” she writes.

Update July 17th, 3:30PM ET: Gizmodo noticed that Myspace pulled its account recovery page at some point today, removing the security flaw. This story has been updated to reflect that it’s no longer active.

Update July 17th, 7:10PM ET: Updated with comment from Viant, Myspace’s parent company.