That ease of use has led to discussion threads on a wide variety of web forums, including an automotive forum: "For all you phedos (sic) out there." Another thread appeared on the Slashdot-like technology news site Tribalwar.com.
At Tribalwar, a January poster tested one of the sites and reported on his successful pilfering of a randomly chosen 14-year-old girl's photo gallery "Since she's listed as 14 on her page, her MySpace puts her as private automatic," he wrote. "It worked and I was shown her pictures. Now lets see some naked sluts." Dozens of posts followed from other users, sharing Friend IDs and photo links for galleries they found interesting.
The photo leaks come at an inopportune time for MySpace. The company reached an accord with 49 state attorneys general Monday that was supposed to tie off a year of inquiries into safety issues on the site. The attention followed an October 2006 Wired News story on MySpace sex offenders.
In that story we used special software to expose hundreds of registered sex offenders with accounts on MySpace. That prompted the social network to run its own computerized search, which turned up at least 29,000 registered sex offenders
In the deal with the state attorneys general, MySpace agreed to a laundry list of measures. These include removing the option for under-18 users to report themselves as "swingers" and setting underage users' profiles as private by default. The company is also forming a safety task force to explore options for online age and identity verification.
That the photo glitch has survived for so long in plain sight suggests MySpace has some more work to do. WiredSafety's Aftab says MySpace and other social networking sites should have teams that do nothing but test for bugs and monitor web forums for discussions about privacy glitches.
"If this is something that's on the internet and people are talking about it, and MySpace doesn't know about it, they should know about it," Aftab said.
"If any site promises that, in doing something, your information will be private … and it turns out that's not the way it works, that could seen as consumer fraud under the FTC Act and 50 states' worth of consumer-protection laws."