wired.com - 6 days ago
A Myspace Security Flaw Let Anyone Take Over Any Account
Remember when Myspace suffered one of the largest user data breaches ever?
Around 360 million accounts were compromised in June 2013, but Myspace said in 2016 when it disclosed the incident that it was taking action to shore up its security. Which would be great, except that it turns out anyone could have taken over any Myspace account if they had the account owner’s listed name, username, and birthday. Whoops! The Hack Security researcher Leigh-Anne Galloway notified Myspace about the flaw in April, and published details about it on Monday after failing to receive a substantive response. The problem stems from Myspace not being, you know, the most widely-used service anymore. As such, it has extensive mechanisms and advice available for recovering accounts when you’ve lost the password, no longer have access to the email address associated with the account, or don’t remember your Myspace username. Galloway discovered that the Account Recovery form doesn't actually require very much information to validate ownership of an account and take control of it.
Full story on wired.com