MySpace Login Security Problems: Social Networking Site Finally Fixes Account Vulnerability Flaw
While MySpace is already a thing of the past, the fallen social networking site finds itself in the news after the discovery of a serious security issue.
In her attempt to delete her account, security researcher Leigh-Anne Galloway found out back in April that the account recovery process on MySpace makes anyone's account vulnerable.
It turns out that anyone could log in or gain access to an account by providing only the name, username and date of birth on the recovery page.
Such information is displayed on the profile of the user so a quick look on an individual's page would allow anyone to take control of a certain account.
She found out that MySpace does not even validate the email address, which a user is required to provide when trying to recover their account. Galloway entered a nonexistent email and MySpace still provided her access to the account right away.
This is where she learned that the name, username and date of birth of a user are only the details needed by the MySpace recovery page to provide access to an account.
Galloway shared the story about her discovery on her blog and has also contacted MySpace, but received no response up to now. She wrote:
So how seriously does MySpace take security? Not seriously at all. I sent an email to MySpace in April documenting this vulnerability and received nothing more than an automated response. This has lead me to disclose the vulnerability while it still exists. It seems MySpace wants us all to take security into our own hands. If there is a possibility that you still have account on MySpace, I recommend you delete your account immediately.
Galloway said that while such situation is not exactly a shocker since there are not a lot of active MySpace users, she believes that the social networking site still has the "duty of care to users past and present."
Thankfully, MySpace appears to have modified the account recovery process and has apparently pulled the flawed one.
TechSpot tested it on a dummy account and confirmed that while they gained access to the account, it was not as easy as Galloway did.