MySpace Bug Leaks 'Private' Teen Photos to Voyeurs
Despite MySpace's assurances this week, private profiles aren't so private.
Jan. 18, 2008 — -- A backdoor in MySpace's architecture allows anyone who's interested to see the photographs of some users with private profiles -- including those under 16 -- despite assurances from MySpace that those pictures can only be seen by people on a user's friends list. Info about the backdoor has been circulating on message boards for months.
Since the glitch emerged last fall, it has spawned a cottage industry of ad-supported websites that make it easy to access the photographs, spurring self-described pedophiles and run-of-the-mill voyeurs to post photos pilfered from private MySpace accounts.
The bug, and its long-term survival, raises new questions about privacy on the News Corp.-owned site, even as it touts a deal with the attorneys general of 49 states meant to polish its online-safety image.
"If kids are doing what they think they need to do, and are still having their photos picked up by slimebags on the internet ... then these are serious issues," said Parry Aftab, executive director of WiredSafety.org, a children's-online-safety group. "It's a matter of trust and it's a matter of safety." (WiredSafety is not connected to Wired News or Wired magazine.)
Representatives for MySpace did not return Wired News phone calls Thursday.
The flaw exposes MySpace users who set their profiles to "private" -- the default setting for users under 16 -- even though MySpace's account settings page tells users, "Only the people you select will be able to view your full profile and photos."
Clicking on the photo link on a private profile gives unauthorized users this message: "This profile is set to private. This user must add you as a friend to see his/her profile." But anyone -- even those without a MySpace account -- can plug the target's public account number, called a "Friend ID," into a specially constructed URL that grants access to those photos.
The only users safe from the exploit are those who have explicitly configured their MySpace photo galleries (and not just their overall profiles) to be private.