A backdoor in MySpace's architecture allows anyone who's interested to see the photographs of some users with private profiles -- including those under 16 -- despite assurances from MySpace that those pictures can only be seen by people on a user's friends list. Info about the backdoor has been circulating on message boards for months.
Since the glitch emerged last fall, it has spawned a cottage industry of ad-supported websites that make it easy to access the photographs, spurring self-described pedophiles and run-of-the-mill voyeurs to post photos pilfered from private MySpace accounts.
The bug, and its long-term survival, raises new questions about privacy on the News Corp.-owned site, even as it touts a deal with the attorneys general of 49 states meant to polish its online-safety image.
"If kids are doing what they think they need to do, and are still having their photos picked up by slimebags on the internet ... then these are serious issues," said Parry Aftab, executive director of WiredSafety.org, a children's-online-safety group. "It's a matter of trust and it's a matter of safety." (WiredSafety is not connected to Wired News or Wired magazine.)
Representatives for MySpace did not return Wired News phone calls Thursday.
The flaw exposes MySpace users who set their profiles to "private" -- the default setting for users under 16 -- even though MySpace's account settings page tells users, "Only the people you select will be able to view your full profile and photos."
Clicking on the photo link on a private profile gives unauthorized users this message: "This profile is set to private. This user must add you as a friend to see his/her profile." But anyone -- even those without a MySpace account -- can plug the target's public account number, called a "Friend ID," into a specially constructed URL that grants access to those photos.
The only users safe from the exploit are those who have explicitly configured their MySpace photo galleries (and not just their overall profiles) to be private.
A similar technique in circulation allows third parties to see the friends list associated with a private profile.
The photo-gallery backdoor has been discussed on message boards for at least three months. In an October post on the music-oriented forum sohh.com, a user asked a contingent of self-described "pedos" for help in accessing the photos of a 16-year-old girl who caught his eye online. "I got a mission for all you pedo soldiers," he wrote, explaining that the girl's profile was private.
"I can get them. I know a way around it," another forum member responded. Minutes later, he posted direct links to 43 photos of the girl. By request, he posted links the next day for another 12 photos, belonging to a 15-year-old girl whose profile is also private. Sohh.com later banned a number of users who called themselves a "pedo army," for posting MySpace photo links for underage girls. (None of the posts appears to have involved, or alluded to, child pornography or other illegal conduct.)
Beginning in October, commercial websites began springing up to perform the MySpace hack automatically, while earning a buck through online advertising. The sites all allow you to retrieve photos from private profiles merely by typing in the Friend ID of a targeted user.