This isn't great: Anyone could get into your Myspace with just your name and birthday

They didn't even need a password.
Author:
Updated:
Original:

The last time you logged into your Myspace account was what, 10 years ago? Minimum?

Well fortunately Myspace had an incredibly easy way to regain access to your account. All you needed was your name and birthdate and boom, you were in and could reset your password to a less embarrassing alternative.

Unfortunately it turns out that's all anybody needed to access your old Myspace.

A cybersecurity researcher named Leigh-Anne Galloway brought this to the world's attention Monday. In a blog post, Galloway explained she was trying to gain access to an old Myspace account so she could delete it.

This was back in April. And at the time, she stumbled across this glaring security oversight.

When trying to recover her account, she had to fill out this form:

But after some poking around and testing, she discovered Myspace didn't do an email verification. Sure it's marked as a "required" field, but you could put in any nonsense email and the account recovery security wouldn't actually check if it matched.

So all you needed was the full name on the account, as well as the public username. And then a birthday, which isn't that hard to find if you really wanted to.

"It seems Myspace wants us all to take security into our own hands," Galloway wrote. "If there is a possibility that you still have account on Myspace, I recommend you delete your account immediately."

She told Myspace and heard nothing

Galloway said she sent Myspace an email detailing this vulnerability back in April when she found it. She got an automated response ... and then nothing else.

So after three months she decided to publicize the gaping security hole while it still existed.

Since Galloway's blog post went live, it's been picked up by WIRED, The Verge, Engadget and others. And Myspace has since made some changes.

For example, that account recovery option is disabled. I tried to access the URL, but it doesn't open anymore and redirects to a different page. Gizmodo noticed this too. You can still see it on the Wayback Machine though.

Myspace also responded, telling Engadget they "enhanced [their] process by adding an additional verification step to avoid improper access." Myspace also said they take data security "very seriously," and will make their process better over time.

Myspace's dubious security history

That might carry some more weight if they hadn't given a similar response in 2016, when they revealed user login data from accounts had been stolen in 2013. And not a few accounts – 360 million users' info was stolen.

Myspace, in acknowledging the breach, said it had "several dedicated teams working diligently" to make sure user data was safe, and said they'd be taking "additional security steps" in light of the report.

And then this happened so ¯\_(ツ)_/¯.

As Galloway noted, maybe a lot of people don't use Myspace anymore (though in 2015, the site said 50 million people a month logged in.)

"So why does this matter?" she continued. "Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. Whilst Myspace is no longer the number one social media site, they have a duty of care to users past and present."

She also walks through how to delete your Myspace account, FYI.

Next Up

Jaden McDaniels

Wolves lose to Magic on Cole Anthony's buzzer-beater

The Wolves blew a 20-point lead as the Magic defeated the Timberwolves on Wednesday night.

J.A. Happ

Twins sign veteran J.A. Happ to add to the rotation

The left-hander will get a one-year, $8 million deal from the Twins.

storm the capitol rally st. paul minnesota state capitol

BCA finds 'no criminal wrongdoing' among those at 'Storm the Capitol' rally

Inflammatory comments were made by speakers, but no charges will be brought.

Screen Shot 2021-01-18 at 12.27.04 PM

Man's vehicles crushed by hit-and-run driver weren't fully insured

The goal is to raise $25,000 to help the south Minneapolis resident.

Joe Biden

Key points from Joe Biden's first speech as POTUS

The 46th president called for unity at a time America is facing huge challenges.

coronavirus, covid-19

Here is Minnesota's COVID-19 update for Wednesday, January 20

The 111 ICU patients is the fewest in Minnesota since there were 109 COVID patients in intensive care on Oct. 1.

Klobuchar

Here's what Amy Klobuchar said at Joe Biden's inauguration

The Minnesota senator was one of the leader organizers of the inauguration.

covid-19, vaccine

All of this week's COVID vaccine pilot program appointments are filled

Nearly 6,000 Minnesotans who are 65 and older registered for appointments between noon Tuesday and Wednesday morning.

Lane kueng thao chauvin

Osterholm affidavit ahead of George Floyd trial warns of COVID worsening in March

Prosecutors want to delay the Chauvin trial due to a public health threat.

Related

How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.

Do you know when Uber is tracking your location?

We know apps collect data about us. But how much, and how is it being used?

Anyone can see your personal info on this website and it's creeping people out

Anyone can search your name to find your age, address, family members, etc.

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.

This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.

WikiLeaks leak claims CIA can get past phone encryption, hack into Smart TVs

This leak of more than 8,000 files has not been authenticated – though it appears legitimate.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?