theverge.com - 6 days ago
Myspace lets you hijack any account just by knowing the person’s birthday
If you haven’t deleted your decade-plus old Myspace account yet, now may be the time to do it.
As it turns out, it’s been embarrassingly easy for someone to break into and steal any account on the site. Security researcher Leigh-Anne Galloway posted details of the flaw on her blog this morning after months of trying to get Myspace to fix it — and hearing nothing back from the company. Only today, after the issue became widely publicized, did Myspace finally remove the flaw. The flaw came from Myspace’s now-defunct account recovery page, which was meant to let people regain access to an account they’ve lost the password to. The page asked for the account holder’s name, username, original email address, and birthday. But it turned out, you really only needed to know someone’s birthday in order to gain access to their account. “I recommend you delete your account immediately.”
Full story on theverge.com