Click to Save up to $300/yr on callsMySpace, Yahoo blame bad APIs for celebrity photos breach
Paris Hilton and Lindsay Lohan's private MySpace photos are all over the Internet now, thanks to a glitch in the bad APIs.
While the not-so-publicity-shy stars probably won't mind, and none of the photos are all that racy (except for the one of a fully dressed, provocatively posed Hilton in a tanning booth), there's a lesson for us all in this social network privacy flap du jour.
"Anything you upload to a public Web site is not private; it's public. Even if you think it is password protected," says Jeremiah Grossman, chief technology officer at White Hat Security, a Web application security company. "That's the bottom line."
The photos began making the rounds on Tuesday after computer technician Byron Ngo released them publicly, and gave Valleywag detailed instructions for his hack. Valleywag also has the photos here.
The problem has been fixed so don't bother trying to replicate it. But the breach resurrects the debate over whether the notion of privacy is outdated in a world where you party too much at an event and the next morning an embarrassing photo is up on your friend's Facebook page.
Valleywag blamed data portability, the concept underlying the sharing of data between social networks and other sites.
However, according to MySpace, it had nothing to do with data portability and everything to do with "deprecated APIs."
Grossman attributed it to "insufficient authorization," which he said are common on all types of Web sites, not just social-networking sites.
"MySpace and Yahoo are firmly committed to keeping all users as safe and secure as possible. Recently, MySpace and Yahoo were alerted to a vulnerability within the MySpace widget on the Yahoo mobile platform," MySpace and Yahoo said in a statement. "The functionality of the widget has currently been disabled as we work to roll out an immediate fix."
The man behind the expose' is none other than Byron Ng, a Vancouver-based computer technician who found a hole in Facebook and got to photos on founder Mark Zuckerberg's private page in March.
Ng also is credited with uncovering a digital version of most of the unreleased Harry Potter book last summer.
Ng, if you're out there, I'd love to talk to you.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
- Tags:
-
security,
-
privacy,
-
social networks,
-
MySpace,
-
Yahoo,
-
Paris Hilton,
-
Lindsay Lohan
- Bookmark:
- Digg
- Del.icio.us
"who found a hole in Facebook and got to photos on founder Mark Zuckerberg's private page in March."
I don't think so Eilnor.
http://www.maximumpc.com/article/how_you_used_to_view_private_photos_on_facebook
It seems that there is a HUGE problem here with the stupidity of people who don't want other people to see them nude, yet upload these pictures WITHOUT PASSWORDS onto sites that sometimes, don't offer password protection of albums.
This is one reason why bloggers shouldn't be considered journalists.
I dont know who Brian Ng is but I agree ...he is a total tool. This code was out for MONTHS and no one was any wiser to it. Myspace have a problem on their hands especially as they changed the membership agreement AND have started using applications that handle real money.
These were all minor url exploits.
Not real hacks.
A hack is illegal.
URL exploits are just that. Exploits.
Hell Ive found URL exploits myself for social networking sites and when I emailed the site to tell them..they didn't really care...so as far as I'm concerned,...these sites get what they deserve with the embarrassment.
The fact is NOTHING is private on the internet.Once people realize that..they will be better off.