Mashable and Wired drop the ball on alleged MySpace 'bug'
Yes, it's quite page view inducing to pimp a headline about how pedophiles are secretly grabbing the private photos of underage kids to populate ad-supported sites with illicit images of your children. So much so that it must be tempting for all the so called tech bloggers out there to pull a quote or two from the original story, and re-post it as news. The only problem is, it's not exactly true.
First let's be clear about this. There are all KINDS of crazy, evil perverts out there dreaming their evil thoughts. We're not saying that there aren't plenty of problems with the newly deposed king of the socialz either. However...
Item One: There have been many exploits along the lines of 'replace friend ID in URL' that would let users see things like friend lists, photos and the like. But the method reported on by Wired and subsequently Mashable... was one that had been plugged for months. However it was relayed via their posting as if the story on Mashable had caused MySpce to run and plug that hole immediately in a 24 hour period. This was simply not the case.
Item Two: The best evidence of the general lack of understanding regarding this exploit, on the part of the so-called tech blog-verse is the fact that both sites reported it incorrectly. Perhaps they were trying to not tip off would be perverts, but in the comment section of the first story posted at Mashable, writer Mark Hopkins made this statement:
To be very specific, this had to be someone who had their profile set to PRIVATE but had PUBLIC photo albums. Being underage has nothing to do with it... except that MS users under 16 default to private profiles. Regardless, 'not knowing' any underage people has zero relation to this issue. You can browse or search and find an underage user easily. However this applied, as stated, to private profiles with public albums. His very specific statement shows clearly that he just misunderstood the nature of the exploit. If you are already friends with someone, replacing your friend ID with theirs in the URL is the same as clicking on the 'pics' link. No l33t skillz required there.
Anyone who works in online security has been aware for a while that this one was plugged in early 07, thank goodness.
So there is simply a fundamental misunderstanding of what's being reported. This could be solved by the people reporting on it actually being users of the sites they cover, or at least putting in some research time on the specific issue.
Of course though, this item was dutifully picked up by ABC News and many other major outlets and people got to be all indignant about how awful this is... which harbors a far MORE evil result - namely that other, worse exploits are STILL EXTANT and being thoroughly ignored by the same bloggers and reporters.
If the issue is child safety, instead of increasing your ad revenue - then why not do the full story instead of ctrl-v-ing your way through it?
This issue spurred the resurrection of zomgpwn! and we will be reporting on it as much as possible in the near future. Stay tuned...
Yeah a few. Most of the stuff we've found is buried in forums, etc. but we emailed you a couple of examples to your Wired address. Check em out and let us know what you think. Thanks!
Posted by: ZOMGPWN! | 2008.01.23 at 07:05 PM
Are there sites profiting from the video exploit?
Posted by: Kevin Poulsen | 2008.01.23 at 06:20 PM
You're totally right about them not explicitly stating that content on MySpaceTV will be private. It's grey area-ish. But you can still view vids of underage kids who have their profiles set to private. We DO see your points though. The onus is on the user here to not be ULing anything they wouldn't want to be seen in the public space, and it IS a simpler URL fiddle. It just bugs us that there are still sites out there generating revenue from this stuff. We will re-up our reporting and post a new story on this today or tomorrow. Hopefully there's a way you can give this some ink on Wired.com but it is what it is, as they say. Big ups, homey.
Posted by: ZOMGPWN! | 2008.01.23 at 05:10 PM
Thanks for the encouragement!
I tested your video exploit, but I haven't written anything about it because it seems much less cut-and-dry than the photo exploit. There's no explicit promise from MySpace that videos will be private when you set your profile to private, for one thing. Also, the link is straightforward, while the photo hack used an obscure URL. Access to "public" videos could be considered expected behavior, right?
Unless I'm missing something, which is always possible. :)
Posted by: Kevin Poulsen | 2008.01.23 at 04:25 PM
Yo Kevin. Thank you for stopping by! We feel honored.. seriously. To be completely fair, your reporting was much more thorough and detailed than the Mashable pickup, especially since you understand the difference between private profiles and private albums. We really included Wired in our headline to bring as much notice as possible to the still existing video/MySpaceTV exploit that needs to be patched. (And to pimp our search results. zing!)
ZOMGPWN! definitely applauds your coverage of this. Just don't stop now. Hopefully MS is working on the video hole now and we'll see a news item show up soon.
Cheers, mate.
Posted by: ZOMGPWN! | 2008.01.22 at 06:06 PM
You're thinking of an older bug that worked much the same way. The one I reported on surfaced in October 07, and wasn't patched until Friday, after my story ran. A careful reading of our coverage will reveal all this (No l33t skillz required :)
And I'm not ignoring any exploits.
Posted by: Kevin Poulsen | 2008.01.22 at 03:56 PM