http://blogs.zdnet.com/security/?p=1244
By Dancho Danchev
Zero Day
June 4th, 2008
The recently introduced data availability initiative at MySpace allowing
everyone to share their profile data with otherParis Hilton and Lindsay
Lohan’s private MySpace photos community and social networking sites
across the Web, has just suffered its first major privacy flaw exposing
the private photos of Paris Hilton and Lindsay Lohan, prompting Yahoo
and MySpace to disable the data availability between the services until
they fix the flaw:
Pictures of Paris Hilton and Lindsay Lohan from private MySpace
profiles can be seen by anyone on the Internet, thanks to a flaw in
a system that helps the social-networking site share information
with other Web sites. The incident underscores a new challenge for
businesses: Security becomes a multi-front challenge once you start
sharing information outside your walls.
Byron Ng — a computer technician who earlier this year found a way
to access Paris Hilton’s Facebook page — walked the tech-gossip
blog Valleywag through a 15-step process that allows people to see
supposedly-private pictures and other information by first logging
into Yahoo, which is one of the sites that shares information with
MySpace.
With Paris Hilton’s T-Mobile Sidekick account hacked two years ago
(Hilton’s mailbox; Hilton’s contact list; Hilton’s photos), followed by
her private Facebook private photos exposed last month, it’s becoming a
rather common event to demonstrate a major privacy exposing leak or a
security flaw by testing it on celebrities with the idea to attract as
much attention as possible. All of these hacks wouldn’t be possible if
their “privacy through obscurity” MySpace profiles weren’t a public
secret. For instance Paris Hilton’s private profile
(myspace.com/cherubrawk) and Lindsay Lohan’s profile
(myspace.com/privacycunt) have already been tracked down by fans,
therefore positioning them on the top of the target list for testing of
flaws.
From another perspective, celebrity hacking is a win-win-win situation
for both the celebrities enjoying some publicity, the vulnerable
services that would provide a live fix for the millions of their users,
and the celebrity hacker for, well, being the celebrity hacker. It’s
also a great way to demonstrate how one service is undermining the
already set privacy preferences by another service, as in this case you
have an integration flaw at Yahoo undermining the privacy preferences
set on a MySpace profile.
-=-
Dancho Danchev is an independent security consultant and cyber threats
analyst, with extensive experience in open source intelligence
gathering, malware and E-crime incident response. Dancho is also
involved in business development, marketing research and competitive
intelligence as an independent contractor. He's been an active security
blogger since 2007, and maintains a popular security blog sharing
real-time threats intelligence data with the rest of the community on a
daily basis.
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Comments