Myspace Security Flaw Let Anyone Take Over Any Account Just By Knowing Their Birthday

Remember when Myspace suffered one of the largest user data breaches ever? Around 360 million accounts were compromised in June 2013, but Myspace said in 2016 when it disclosed the incident that it was taking action to shore up its security. Which would be great, except that it turns out anyone could have taken over any Myspace account if they had the account owner’s listed name, username, and date of birth. Whoops!

The Hack

Security researcher Leigh-Anne Galloway notified Myspace about the flaw in April, and published details about it on Monday after failing to receive a substantive response.

The problem stems from Myspace not being, you know, the most widely-used service anymore. As such, it has extensive mechanisms and advice available for recovering accounts when you’ve lost the password, no longer have access to the email address associated with the account, or don’t remember your Myspace username.

Galloway discovered that the Account Recovery form doesn’t actually require very much information to validate ownership of an account and take control of it. Since the name and username associated with an account show up on its public profile, Myspace’s account recovery setup was such that you really only needed someone’s date of birth to complete an account takeover. The form claimed that other fields like the account email address were “required,” but it wasn’t actually validating these fields in practice.

“This is indicative of the landscape we live in,” Galloway says. “Everything is done online, which means there is more and more code online. Web applications are the front door to an organization. The consequences of getting access can be catastrophic.”

Galloway discovered this while attempting to delete her own account. On Monday at 1:42 ET the company redirected its Account Recovery URL so it no longer takes browsers to the vulnerable form. You can still see it here on the Wayback Machine.

Who’s Affected?

Who can say! Myspace has been cagey for years about how many users it still has, and it’s unclear how long this account recovery form was live. “I haven’t had a response from MySpace,” Galloway says. A lot of Myspace user data got scrubbed in its redesign a few years ago, but the mass exodus away from the service when social networks like Facebook were on the rise definitely left a number of forgotten accounts that are still live in some form and could be exploited.

Continue reading…