June 4th, 2008
Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace photos
The recently introduced data availability initiative at MySpace allowing everyone to share their profile data with other
community and social networking sites across the Web, has just suffered its first major privacy flaw exposing the private photos of Paris Hilton and Lindsay Lohan, prompting Yahoo and MySpace to disable the data availability between the services until they fix the flaw:
Pictures of Paris Hilton and Lindsay Lohan from private MySpace profiles can be seen by anyone on the Internet, thanks to a flaw in a system that helps the social-networking site share information with other Web sites. The incident underscores a new challenge for businesses: Security becomes a multi-front challenge once you start sharing information outside your walls.
Byron Ng — a computer technician who earlier this year found a way to access Paris Hilton’s Facebook page — walked the tech-gossip blog Valleywag through a 15-step process that allows people to see supposedly-private pictures and other information by first logging into Yahoo, which is one of the sites that shares information with MySpace.
With Paris Hilton’s T-Mobile Sidekick account hacked two years ago (Hilton’s mailbox; Hilton’s contact list; Hilton’s photos), followed by her private Facebook private photos exposed last month, it’s becoming a rather common event to demonstrate a major privacy exposing leak or a security flaw by testing it on celebrities with the idea to attract as much attention as possible. All of these hacks wouldn’t be possible if their “privacy through obscurity” MySpace profiles weren’t a public secret. For instance Paris Hilton’s private profile (myspace.com/cherubrawk) and Lindsay Lohan’s profile (myspace.com/privacycunt) have already been tracked down by fans, therefore positioning them on the top of the target list for testing of flaws.
From another perspective, celebrity hacking is a win-win-win situation for both the celebrities enjoying some publicity, the vulnerable services that would provide a live fix for the millions of their users, and the celebrity hacker for, well, being the celebrity hacker. It’s also a great way to demonstrate how one service is undermining the already set privacy preferences by another service, as in this case you have an integration flaw at Yahoo undermining the privacy preferences set on a MySpace profile.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
