A backdoor in MySpace's architecture allows anyone who's interested to see the photographs of some users with private profiles -- including those under 16 -- despite assurances from MySpace that those pictures can only be seen by people on a user's friends list. Info about the backdoor has been circulating on message boards for months.
Since the glitch emerged last fall, it has spawned a cottage industry of ad-supported websites that make it easy to access the photographs, spurring self-described pedophiles and run-of-the-mill voyeurs to post photos pilfered from private MySpace accounts.
The bug, and its long-term survival, raises new questions about privacy on the News Corp.-owned site, even as it touts a deal with the attorneys general of 49 states meant to polish its online-safety image.
"If kids are doing what they think they need to do, and are still having their photos picked up by slimebags on the internet ... then these are serious issues," said Parry Aftab, executive director of WiredSafety.org, a children's-online-safety group. "It's a matter of trust and it's a matter of safety." (WiredSafety is not connected to Wired News or Wired magazine.)
Representatives for MySpace did not return Wired News phone calls Thursday.
The flaw exposes MySpace users who set their profiles to "private" -- the default setting for users under 16 -- even though MySpace's account settings page tells users, "Only the people you select will be able to view your full profile and photos."
Clicking on the photo link on a private profile gives unauthorized users this message: "This profile is set to private. This user must add you as a friend to see his/her profile." But anyone -- even those without a MySpace account -- can plug the target's public account number, called a "Friend ID," into a specially constructed URL that grants access to those photos.
The only users safe from the exploit are those who have explicitly configured their MySpace photo galleries (and not just their overall profiles) to be private.
A similar technique in circulation allows third parties to see the friends list associated with a private profile.
The photo-gallery backdoor has been discussed on message boards for at least three months. In an October post on the music-oriented forum sohh.com, a user asked a contingent of self-described "pedos" for help in accessing the photos of a 16-year-old girl who caught his eye online. "I got a mission for all you pedo soldiers," he wrote, explaining that the girl's profile was private.
"I can get them. I know a way around it," another forum member responded. Minutes later, he posted direct links to 43 photos of the girl. By request, he posted links the next day for another 12 photos, belonging to a 15-year-old girl whose profile is also private. Sohh.com later banned a number of users who called themselves a "pedo army," for posting MySpace photo links for underage girls. (None of the posts appears to have involved, or alluded to, child pornography or other illegal conduct.)
Beginning in October, commercial websites began springing up to perform the MySpace hack automatically, while earning a buck through online advertising. The sites all allow you to retrieve photos from private profiles merely by typing in the Friend ID of a targeted user.
That ease of use has led to discussion threads on a wide variety of web forums, including an automotive forum: "For all you phedos (sic) out there." Another thread appeared on the Slashdot-like technology news site Tribalwar.com.
At Tribalwar, a January poster tested one of the sites and reported on his successful pilfering of a randomly chosen 14-year-old girl's photo gallery "Since she's listed as 14 on her page, her MySpace puts her as private automatic," he wrote. "It worked and I was shown her pictures. Now lets see some naked sluts." Dozens of posts followed from other users, sharing Friend IDs and photo links for galleries they found interesting.
The photo leaks come at an inopportune time for MySpace. The company reached an accord with 49 state attorneys general Monday that was supposed to tie off a year of inquiries into safety issues on the site. The attention followed an October 2006 Wired News story on MySpace sex offenders.
In that story we used special software to expose hundreds of registered sex offenders with accounts on MySpace. That prompted the social network to run its own computerized search, which turned up at least 29,000 registered sex offenders
In the deal with the state attorneys general, MySpace agreed to a laundry list of measures. These include removing the option for under-18 users to report themselves as "swingers" and setting underage users' profiles as private by default. The company is also forming a safety task force to explore options for online age and identity verification.
That the photo glitch has survived for so long in plain sight suggests MySpace has some more work to do. WiredSafety's Aftab says MySpace and other social networking sites should have teams that do nothing but test for bugs and monitor web forums for discussions about privacy glitches.
"If this is something that's on the internet and people are talking about it, and MySpace doesn't know about it, they should know about it," Aftab said.
"If any site promises that, in doing something, your information will be private … and it turns out that's not the way it works, that could seen as consumer fraud under the FTC Act and 50 states' worth of consumer-protection laws."