An attacker can easily use three pieces of publicly available information to pwn anybody’s Myspace account.
Security researcher Leigh-Anne Galloway came across this security oversight back in April when she stumbled across an old Myspace account of hers. The researcher decided she wanted to delete her account, but she needed to sign in first. To do that, she went to Myspace’s account recovery page.
As you can see in the above screenshot, Myspace asks for several pieces of personal information before it will restore access to a lost account. There’s just one problem: notwithstanding the “field required” asterisk affixed to the email address text field, Myspace doesn’t validate a registered user’s email address. That means a user can recover their account with just their name, username, and date of birth.
Easy, right? A little too easy.
As it turns out, it’s nowhere near impossible to find these three pieces of data online.
Attackers can use a Google search to find a Myspace user’s name and username online. (A certain breach confirmed by Myspace in 2016 lessens the load of discovering these two bits of information.) Attackers might have a more difficult time finding someone’s birth date, but you’d be surprised how many people list their special days on Facebook or other social media platforms.
Whoever enters in that information receives from Myspace instantaneous access to the registered user’s account.
Galloway couldn’t believe her eyes. As she explains in a blog post:
“Myspace may no longer be relevant as a social media site, but its treatment of security is as relevant as ever.”
In support of this viewpoint, the security researcher wrote to Myspace about the vulnerability on 23 April. She had not heard anything as of 17 July, the date on which she decided to disclose the vulnerability.
Without any word from Myspace indicating it intends to fix the flaw anytime soon, users who are concerned that someone could access their account, read through their old messages, and abuse their information don’t have many options. There’s really only one course of action: users should leverage Myspace’s account recovery to regain access to and subsequently delete their accounts. It’s not the optimal course of action, but when a company doesn’t care about their customers’ data security, there’s nothing left to do.
Shame on you, Myspace, for such a disreputable end…
For further discussion of this incident take a listen to this episode of the “Smashing Security” podcast:
Further reading: Myspace fixes account security hole – but delete your account anyway.