April 23, 2014

avatar

MySpace Photos Leaked; Payback for Not Fixing Flaw?

Last week an anonymous person published a file containing half a million images, many of which had been gathered from private profiles on MySpace. This may be the most serious privacy breach yet at MySpace. Kevin Poulsen’s story at Wired News implies that the leak may have been deliberate payback for MySpace failing to fix the vulnerability that allowed the leaks.

“I think the greatest motivator was simply to prove that it could be done,” file creator “DMaul” says in an e-mail interview. “I made it public that I was saving these images. However, I am certain there are mischievous individuals using these hacks for nefarious purposes.”

The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who’d caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News’ report.

MySpace plugged a a href=”http://grownupgeek.blogspot.com/2006/08/myspace-closes-giant-security-hole.html”>similar security hole in August 2006 when it made the front page of Digg, four months after it surfaced.

The implication here, not quite stated, is that DMaul was trying to draw attention to the flaw in order to force MySpace to fix it. If this is what it took to get MySpace to fix the flaw, this story reflects very badly on MySpace.

Anyone who has discovered security flaws in commercial products knows that companies react to flaws in two distinct ways. Smart companies react constructively: they’re not happy about the flaws or the subsequent PR fallout, but they acknowledge the truth and work in their customers’ interest to fix problems promptly. Other companies deny problems and delay addressing them, treating security flaws solely as PR problems rather than real risks.

Smart companies have learned that a constructive response minimizes the long-run PR damage and, not coincidentally, protects customers. But some companies seem to lock themselves into the deny-delay strategy.

Now suppose you know that a company’s product has a flaw that is endangering its customers, and the company is denying and delaying. There is something you can do that will force them to fix the problem – you can arrange an attention-grabbing demonstration that will show customers (and the press) that the risk is real. All you have to do is exploit the flaw yourself, get a bunch of private data, and release it. Which is pretty much what DMaul did.

To be clear, I’m not endorsing this course of action. I’m just pointing out why someone might find it attractive despite the obvious ethical objections.

The really interesting aspect of Poulsen’s article is that he doesn’t quite connect the dots and say that DMaul meant to punish MySpace. But Poulsen is savvy enough that he probably wouldn’t have missed the implication either, and he could have written the article to avoid it had he wanted to. Maybe I’m reading too much into the article, but I can’t help suspecting that DMaul was trying to punish MySpace for its lax security.

Comments

  1. Richard Johnson says:

    I’d not go so far as to read a motivation to “punish” into the motivation. I encounter that kind of assumption very frequently, but it’s usually erroneous.

    Most frequently I see it on the part of self-claimed “victims” who have had their insecure spam-enabling practices and policies exposed by the real victims, the recipients of their spam. However, this kind of thing applies to other security problems, both less and more severe.

    The motivations of those who choose to make a splash are usually grounded very solidly in ethics. They’re trying to minimize the net harm by getting holes closed before too many more people are hurt. They’ve almost always tried other tactics in the past, only to have them fail with the particular vendor involved.

    When the vendor is recalcitrant, or even actively hostile to the idea that they might have a problem (this appears to be the MySpace culture, c.f. their selective, ineffectual and egregious abuse via Godaddy of seclists.org: http://www.nodaddy.com/ ), then a media splash is perhaps the -best- harm-minimization tactic. Full disclosure writ large like that almost always forces the recalcitrant vendor into finally closing the holes that they wouldn’t otherwise close based on mere internal motivation.

    The motivation for the splashy disclosure is is not punishment, but rather ending the harm even in the face of active cultural opposition on the part of the vendor doing the harm.

  2. Hal says:

    The question I would ask is, what was the internal justification and reason for delaying fixing the bug? Myspace apparently fixed it within hours once the negative publicity began. Did they have an internal fix ready to go, but it was stalled in the quality assurance and testing process, so that this publicity forced the company to rush out a fix even though it was not yet fully tested? Or is it perhaps possible that the bug report had languished and had not been escalated to engineering, so that work on the fix only began after the reports came out, and they were able to produce a tested fix within a few hours?

    Are there perhaps many other security flaws and holes in the Myspace software, so many that this problem was seen as just one more, so that there seemed to be no urgency to fix it when there were so many other problems out there?

    There are always reasons for things. Company executives and decision-makers are not cartoon villains twirling their mustaches and looking for ways to cause damage to their employer. It would be helpful and useful to know more about the decision making process that led to this circumstance.

  3. supercat says:

    I remember some years back a magazine got hold of the answers to one of the college board exams. Since the exam people didn’t seem to care about it, the magazine published all the answers. The exam people were furious and wanted to sue the magazine, but I think they decided against it. That the magazine was able to get the answers was prima facie evidence that the answers were available via illegitimate channels, allowing an extreme unfair advantage to anyone who would seek them out. Publishing the test answers forced the test vendor to rework the test, negating any advantage cheaters would have obtained.

  4. Nate says:

    @Hal: I find it more likely that any bug reports were lost in the backlog of people complaining that their malformed tags weren’t displaying properly, or written off as “private” images that someone accidentally tagged public. Once someone in the media said “OHSHIT THINK OF THE CHILDREN”, the programmers said “Oh, crap, that wasn’t a PBKC? Fuck.”

  5. Gato says:

    So what would be the most ethical road to take as a user of some online service like this, if you realized that a company was taking the deny-delay strategy and all your direct complaints fell in to the teeth of the PR denial machine? Most of the time there is no agency or watchdog who will really have an affect or hold any more weight than you do.

    I discovered a vulnerability with my credit union’s authentication scenario right after the multi-factor authentication regulations went in to effect. I got the basic deny-delay reponse at which point I sent a letter to a couple regulatory agencies – whose acronyms I don’t have handy. I could tell when the government roulette wheel stopped on my credit union as I received some emails from C-level employees of the credit union (it was about a month after my initial complaint). At that point, the issue was resolved pretty quickly. Not correctly, mind you, but by heavy handed “we don’t take this user agent” code. (Off the topic, how is having to know what street I grew up on as well as knowing my password “Multi Factor”??)

    Let’s say there is no watch dog guarding the service you’ve found a big hole in, but you’re pissing into the public relations wind… is there really much more you could do? Certainly you can try to leave the particular service immediately but then everything you’ve invested in it gets taken away, and the possibility exists that once you’ve left, your old information is not only still vulnerable to the same attacks, but now you’re not even a customer and can’t even yell to the (deaf ears of) customer service.

  6. aethel says:

    My concern is how organisations find themselves in such dire straights. I have seen situations where blame culture inside an organisation ensures that an issue such as the one at MySpace cannot be accepted without a single officer of the insitution being to blame for the problem, this arrises from a misunderstanding of technology which is ‘bad stuff happens’ – software has bugs by its very nature and this needs to be accepted and built into orhganisational culture – but in the corporate world ‘everything must be wonderful – all of the time’ way of being, a more reflective and rational model cannot persist.

  7. Find Legislation says:

    FED HB1120 is relevant to this conversation.
    http://www.statesurge.com/#view-bill&main_content&bill_id=14463

    Its hard to believe that myspace doesn’t change…they are falling behind sites like facebook.

    Also, thought you all may be interested in a new site devoted to transparency in government
    and one of the best ways to find legislation. (www.statesurge.com)

    They also provide my blog a widget (script) that shows the most active bills in any
    of their states or at the federal level (free of charge). Contact
    Larry@statesurge.com if you are interested in this widget.

    You can sign up for a free trial on StateSurge.com and test out this legislative
    management system. Its the best service I have seen for tracking legislation.

    Apparently, soon much of the information will be open and free to use as a research
    tool. Currently, http://www.StateSurge.com tracks Missouri, Illinois, Kansas, Tennessee, and
    Federal legislation, but soon all 50 states will be integrated.

  8. Spudz says:

    Is that last post written by a bot? If so, it’s much more sophisticated than what we’ve seen before…

  9. soy scented candle says:

    Sad to say, most sites out there can be hacked and MySpace is just being targeted because of its popularity. The impudence that DuMaul is placing upon major players such as MySpace may be considered heroic to some, but I neither applaud nor condone this behaviour, it’s just what we get for having too much information at our fingertips at any time or anywhere.

  10. Spudz says:

    Eh? That’s a bit incoherent. “Impudence”? Perhaps you meant “neither applaud nor condemn”?

  11. ddddddd says:

    Bitches all of you are bitches

  12. Homosapper. says:

    Mmm bitches.

  13. Anonymous says:

    They ain’t never no good picutrues on myspace anywhay.
    And.. they shoudnt be no private pages or pictures on a social networking site. That aint very social now is it?
    Erything is gonna be much easier when we all get our own personal DIgital codes.. implanted in our bodies.. and tattooed like bar codes on our skin.
    Maybe one of you retards can come up with a way to turn a persons finger print into a digital code. or… DNA could be turned into a digital “key” that would identify the user of compters. Then.. when the insurgents come to take our coco puffs off the top of the refridgedator we would know who they is because our bluetooth scanner would relay his microship information to the housing authourity.
    That’s all I got to say about that.