Forgotten your Myspace password? Just a name, username, DoB will get you in – and into anyone else's, too
Blast from the past blasted
Myspace's account recovery process is hopelessly flawed, according to a security researcher.
Positive Technologies' Leigh-Anne Galloway stumbled on the issue in the process of attempting to gain access and delete her account back in April.
"I discovered a business process so flawed it deserves its own place in history," she explained in a blog post, published on Monday.
Myspace only requires a valid name, username and date of birth associated with an account to regain access to that account – and that's it. No email confirmation. Other details are requested in the recovery form, but filling them in isn't necessary in order to change the password and gain control of an account, Galloway discovered.
Despite flagging up the issue to Myspace weeks ago, all Galloway has received since has been an automated response. Myspace hasn't resolved the problem, another security researcher, Scott Helm, verified late last week.
He told El Reg: "Account recovery on Myspace takes scarily little information – even worse part is that they don't verify the email fields. You can reset with full name and username, which you can get from the profile page, and date of birth, which can be easily found or guessed."
The vulnerability allows anyone access to any Myspace account, with only these three pieces of information. El Reg approached Myspace owner Time Inc for comment. We're yet to hear back.
Is it really relevant?
Myspace is no longer the social networking mega-monster it once was, although that"s no excuse for poor security. And yet last year, it emerged that it managed to leak the details of 360 million Myspace accounts.
In response to the online sale of users' stolen credentials, Myspace said it had "invalidated all user passwords for the affected accounts created prior to June 11, 2013 on the old Myspace platform." It went on to say that it was "utilizing advanced protocols including double salted hashes" in order to protect users' accounts.
Such efforts are rendered moot when it's possible to gain control of an account with some basic info and no knowledge of the password.
"Myspace is an example of the kind of sloppy security many sites suffer from – poor implementation of controls, lack of user input validation, and zero accountability," Galloway concluded. "Whilst Myspace is no longer the number one social media site, they have a duty of care to users past and present."
Galloway told El Reg that Myspace was "like a cemetery of personal data." Those who still have an account on Myspace should delete it immediately, she advised.
Myspace was a Web 2.0 goliath, with a strong emphasis on music: it was a screaming, ugly internet playground for fans and unsigned bands. Then it was completely crushed by Facebook. It's gone through a series of different owners since, including AOL and News Corp among others.
It has declined in popularity to the point where it is currently rated outside the top 1,000 US websites by traffic, and only 3,374th globally, according to the latest figures from web stats agency Alexa. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust