Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Do you remember MySpace? The social networking site that in the mid-2000s was arguably more popular than Facebook. Even in its heyday MySpace's attitude to security was (being kind) lax. Poor user input sanitation facilitated account owners personalising their personal pages with styles and backgrounds using stored code injection and cross-site scripting. A wealth of sites sprang up offering just such MySpace personalisations, so popular was it. If it was around today in its same form as back then it would be as insecure and dangerous as any deliberately vulnerable contemporary training site. And the corporate response was to deprecate the behaviour in user terms and conditions, but not to fix the code problem itself for fear of alienating users. Skipping the history, as Facebook grew ever stronger in the later 2000s the popularity of other social media sites including MySpace started to crumble. MySpace passed through several hands, made many IT headlines, and long since lost most of its social functionality (and the majority of its regular user base) but still limps along as a commercial music-publishing and sharing site. In 2013 360 million MySpace accounts were compromised, but it did not come to light until three years later when the information became public. The site's response was to invalidate the passwords of all accounts created before June 2013, leaving returning users to then recover their account through a recovery form.
So, if the site is so close to obsolescence why is it of interest now? The answer is because a security researcher who stumbled across her own long dormant account has discovered a significant problem with the recovery process. Without describing the detail of the procedure (for the specifics read the original article), Leigh-Anne Galloway discovered that during MySpace's account recovery process not all information is actually validated, and that aside form the date of birth (which could conceivably be obtained by brute force methods) all the information required to complete the recovery are available simply by interrogating search engines or MySpace itself. There is no validation of e-mail addresses (despite prompting for past and current e-mail address), and no human validation of the data provided. If the form submitted is sufficiently complete, the user is immediately sent a recovery e-mail to the current address they give as part of generating the request.
As the researcher recommends herself if you ever had a MySpace account, and you have not yet deleted it, your best response is probably to go delete it right now, rather than risk someone else "recovering" it and retrieving your private info.