If you haven’t deleted your decade-plus old Myspace account yet, now may be the time to do it. As it turns out, it’s embarrassingly easy for someone to break into and steal any account on the site.
Security researcher Leigh-Anne Galloway posted details of the flaw on her blog this morning after months of trying to get Myspace to fix it — and hearing nothing back from the company.
The flaw comes from Myspace’s account recovery page, which is meant to let people regain access to an account they’ve lost the password to. The page asks for the account holder’s name, username, original email address, and birthday. But it turns out, you really only need to know someone’s birthday in order to gain access to their account.
The account holder’s name and username are both publicly listed on their profile page. And Myspace’s account recovery form doesn’t actually check to see if you entered the correct email address. The Verge tested the flaw on a newly created dummy account and was able to confirm this. That means the only detail you actually have to know is the account holder’s birthday, and in a lot of cases, that isn’t exactly hard to find with a bit of research.
As soon as you supply that info, Myspace logs you into the account, prompting you to set a new password and giving you the ability to change the account’s associated email address and birthdate, letting you steal it for good.
Galloway says she contacted Myspace about the flaw in April and has yet to hear back. “It seems Myspace wants us all to take security into our own hands,” she writes. “If there is a possibility that you still have account on Myspace, I recommend you delete your account immediately.” The Verge has also reached out to Myspace for comment.
Of course, at this point, it’s not like all that many people (any people?) are still using Myspace. Far too many years after being crushed by Facebook, Myspace moved away from being a social network and pivoted into being a news aggregator and a series of profile pages for musicians. You’re supposed to be able to play music from those pages, but it wouldn’t work in my browser. It’s not clear why anyone would visit this website. Time Inc. purchased Myspace last year, mostly just so it could get some associated ad tech.
Even though people aren’t using Myspace much anymore, Galloway says its poor security practices still matter, since it’s not alone in being so lax about account protections. “Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability,” she writes.