In May of last year, over 427 million Myspace account credentials leaked online after a massive data breach. The data set included usernames, email addresses, and passwords that were hashed with SHA-1, an old and insecure cryptographic function. A few days later, the company confirmed the data breach and promised to take significant steps to improve security.
Earlier today, security researcher Leigh-Anne Galloway posted on her blog details of an embarrassing flaw in Myspace’s account recovery page. The page asks for the account holder’s name, username, original email address and birthday. The first two are publicly displayed on a person’s profile page. The account recovery form does not actually check if you entered the correct email address, so all you really need to know in order to gain access to someone’s account is that person’s birthday, something that anyone can probably find out with a bit of research.
When you fill out that information in the recovery form, you are signed into the account and you get a prompt to set a new password. You can then change the associated email address and birth date, taking permanent ownership of the account.
Galloway informed Myspace about the flaw in April but has not yet received any answer from the company. Consequently, the security researcher decided to go public today and inform the millions of vulnerable account holders.
“So how seriously does Myspace take security? Not seriously at all. I sent an email to Myspace in April documenting this vulnerability and received nothing more than an automated response. This has led me to disclose the vulnerability while it still exists. It seems Myspace wants us all to take security into our own hands. If there is a possibility that you still have an account on Myspace, I recommend you delete your account immediately.”
Myspace is far from being the social network behemoth it once was, but Galloway says its poor security practices still matter, since it is one example among many other sites that suffer from lax account protections.
Source: Leigh-Anne Galloway