Myspace fixes account security hole - but delete your account anyway

If you don’t use it, delete it.

Myspace fixes account security hole - but delete your account anyway

As we reported yesterday, a shocking security hole was found in Myspace (remember Myspace?) that meant anyone could seize control of your account just by knowing your your name, username, and date of birth.

Yes, somewhere there’s a village missing its idiot. And the idiot's name is Myspace.

The mindbogglingly awful weakness in Myspace's security was uncovered by researcher Leigh-Anne Galloway who privately informed the primordial social network back in April.

That security hole would be bad enough, but what was really appalling was the only response Leigh-Anne received from Myspace was an automated "Thanks for contacting Myspace" email.

It was only when, in her frustration, Leigh-Anne went public about the problem that Myspace finally saw fit to take some action. Which, thankfully, it now has - blocking access to the old, risky account recovery webpage.

Myspace account recovery old

So, problem over?

No, I don't think so.

You see, if something *that* bad can be present on Myspace I wonder what other problems might lurk there?

Chances are that many people who have Myspace accounts created them years ago, and in all likelihood never visit the site anymore.

If you're on of those people, and have no use for the site, why not delete your Myspace account rather than risk something bad happening? At the same time, you might be wise to have a think about what other ancient websites you might have joined long, long ago before you got more sensible about things like choosing strong, unique passwords.

Don't forget, by the way, that someone was claiming to sell hundreds of millions of stolen Myspace account details last year...

For further discussion of this incident take a listen to this episode of the "Smashing Security" podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

2 Responses

  1. Gulraj Rijhwani

    July 18, 2017 at 7:37 pm #

    Absolutely right. After all MySpace has a long and chequered history as regards security anyway. A lassaiz faire attitude has been endemic since its inception. Remember the ability to "personalise" your page by embedding stored code in your account data – XSS for all? Or the public exposure of 360 million account credentials in 2016 which had actually been exfiltrated 3 years earlier?

    Whatever's under that bonnet isn't worth trusting.

  2. Vito

    July 19, 2017 at 5:41 pm #

    The MySpace site is non-intuitive, cumbersome to use, unfriendly to my browser, relentlessly buggy, and nearly impossible to use with NoScript…even with the "Temporarily allow all this page" setting. I almost never use the site, and fully intended to delete my account after reading this article.

    So I went there and tried to log in, and found that my password didn't work. Uh-oh…

    As it turned out, I was able to reset my password, after which I was able to login and visit my account. To my surprise, I had several new connections from people I respect, so I decided to keep the account. But I still think it's a poorly designed, buggy interface. For now, it's probably worth maintaining a presence there, but MySpace is in desperate need of a redesigned interface.

    As for the security of my personal information, there's nothing worth stealing. All of my profile information (including my date of birth) is fictitious. I never trusted MySpace to handle my data securely in the first place.

Leave a Reply