Pillaged MySpace photos show up in massive BitTorrent download

[Al-khiyal]

Pillaged MySpace photos show up in massive BitTorrent download

January 23, 2008 -- A 17-gigabyte file purporting to contain more than half a million images lifted from private MySpace profiles has shown up on BitTorrent, potentially making it the biggest privacy breach yet on the top social networking site.

The creator of the file says he compiled the photos earlier this month using the MySpace security hole that Wired News reported on last week. That hole, still unacknowledged by the News Corporation-owned site, allowed voyeurs to peek inside the photo galleries of some MySpace users who had set their profiles to "private," despite MySpace's assurances that such images could only be seen by people on a user's friends' list.

"I think the greatest motivator was simply to prove that it could be done," file creator "DMaul" says in an e-mail interview. "I made it public that I was saving these images. However, I am certain there are mischievous individuals using these hacks for nefarious purposes."

The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who'd caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report.

By then, DMaul, a denizen of the online forum TribalWar.com who declined to reveal his name, used an automated script to run nearly 44,000 MySpace user profiles through one of the ad-supported sites, MySpacePrivateProfile.com - a process he says took about 94 hours. He rolled those images into a single file and seeded it to The Pirate Bay, a popular BitTorrent tracking site, on Sunday, advertising it as "pictures taken exclusively from private profiles."

Despite the language, the script DMaul posted to TribalWar does not appear to discriminate between public and private profiles, making it likely that many of the photos were intended to be public. The script cycled through MySpace users sequentially by MySpace Friend ID number, and did not target users of a particular age group.

Even with some public photos in the mix, the haul represents a significant breach that affects users under 16 - whose profiles are automatically set to private - more than older users who must opt-in to the privacy option.

As of Wednesday morning, The Pirate Bay showed two users seeding the file, and another 40 downloading it. One commenter complained that the download could take "weeks or months" to complete, prompting another to predict that, "By the end of the week it should be well distributed."

DMaul made two smaller files available as direct downloads. One of them examined by Wired News contains more than 32,000 images ranging from the mundane to the intimate: vacation photos, infants in bathtubs, teenagers mugging for the camera.

Child-safety advocate Parry Aftab, executive director at WiredSafety.org (not affiliated with Wired News) said last week that MySpace and other social networking sites should have teams that do nothing but test for bugs and monitor web forums for discussions about privacy glitches.

Last week, MySpace chief security officer Hemanshu Nigam touted a deal with the attorneys general of 49 states in which MySpace agreed to a laundry list of safety improvements on the site. However, the settlement does not require MySpace to detect or promptly close its recurring security holes.

MySpace hasn't returned phone calls on the issue. A spokeswoman for Connecticut Attorney General Richard Blumenthal, co-chairman of the task force that forged the pact with MySpace, declined to comment on the bug this week. Noelle Talley, a spokeswoman for North Carolina Attorney General Roy Cooper, the other co-chair, noted MySpace's quick response in closing the bug after Wired News reported on it.

"We raised this particular issue with MySpace and they told us that the problem was fixed by the next day," Talley wrote in an e-mail. "We'll follow up with them on this issue."

"The process set up by our agreement gives us ready access to bring problems to the attention of MySpace," Talley added. "We believe this collaborative effort will move us more quickly toward safer social networking sites, but attorneys general won't hesitate to take further action if necessary."

MySpace plugged a similar security hole in August 2006 when it made the front page of Digg, four months after it surfaced.

[Al-khiyal]

Five questions with the guy who made the MySpace private photo torrent

[Al-khiyal]

MySpace in underage photo security failure

January 24, 2008 -- Tens of thousands of private photographs from MySpace accounts - many from under 18 users - have been circulated on the web following a three-month security breach.

A loophole allowed voyeurs and even self-confessed 'paedos' to access private profiles simply by adding the freely available users' ID number to a code which was shared on chatrooms.

Several YouTube videos - viewed by thousands - demonstrated exactly how to exploit the system. One 'tutorial' posted by a man who called himself Norwegian Sven ended with a lingering shot of a teenage girl in a bikini.

MySpace, one of the most popular social networking sites in the world with over 200 million accounts, only closed down the security breach last week after it was exposed by the Wired News website.

Fears are growing perverts and even paedophiles have been targeting accounts of girls under 16, whose profiles are automatically set to private. Now huge files containing thousands of pictures are available on file-sharing sites.

On the online forum Tribal War, one poster named Nail Bomb boasted how he could bypass MySpace security.

'To test my findings. I found some random 14 year old b**ch now since she's listed as 14 on her page her MySpace puts her as private automatic. It worked and I was shown her pictures.

'Now lets see some naked sluts.'

Another, named Godfather, mocked: 'Are teens so dumb nowadays they think anything you put online is private?'

More worryingly, one user of a music-based site said he had a 'mission for all you paedo soldiers' - to bypass security so he could see the private pictures of one underage girl he had taken a fancy to. Minutes later another chatroom user posted up a whole sequence of URL addresses to grant access to the pictures.

The site later banned the users involved.

The only MySpace users who were protected were those who had specifically set their photo galleries and not just their profiles to 'private'.

One site which is offering 'pictures taken exclusively from private profiles' said it was visited by over five hundred 'leechers'.

MySpace is yet to comment.

[HOUDA-K]

This is horrific.