Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Private Pictures Leak

Posted by ScuttleMonkey on from the if-you-don't-want-it-shared-don't-put-it-out-there dept.

Martin writes "We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net."

9 of 405 comments (clear)

  1. You know what to do... by grub · · Score: 5, Informative


    fetch!

    --
    Trolling is a art,
    1. Re:You know what to do... by JeepFanatic · · Score: 5, Informative
      If you read the wired interview, it says:

      DMaul: The script that I wrote uses the myspaceprivateprofile.com interface to find the images. Therefore, it uses the same criteria. From my own testing, it appeared that myspaceprivateprofile.com did not return public images from public profiles. It only returned public images from private profiles. It did not return private images from either public or private profiles.
      So ... I'm guessing the really good stuff isn't there.
  2. Re:Trap! by Jarjarthejedi · · Score: 3, Informative

    Mod Parent Up for best use of a humorous sad but probably true prediction :P.

    --
    There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
  3. Re:Trap! by AuMatar · · Score: 4, Informative

    Prediction? Hell, its already happened.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  4. I've looked. Yaaaaawn. by jridley · · Score: 5, Informative

    I downloaded the first zip, which is the first GB of images. I unzipped it, and I looked at the first 4500 images before falling asleep. 999 out of 1000 are crappy cellphone pics of ugly people drinking a beer and flipping off the camera, or vacation pics, or pics of someone's crappy car, or just simply snapshots of people (the vast majority).
    So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.

  5. Static Content Server by TheNinjaroach · · Score: 3, Informative

    Myspace appears to use a static content server that does no validation of who you are before returning JPGs.

    When not working or browsing Slashdot, a friend and I will exchange URLs to profile pics of "interesting" looking women. If the profile is private, the URL to the private JPG is not protected and we would exchange those instead. I haven't spent any time trying to find a pattern in the seemingly-random JPG names, so it appears difficult to pull the private images of any one person, but in general everyone's pics are available if you know the URL.

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  6. Re:Dueling compression algorithms by _xeno_ · · Score: 5, Informative

    In case you're new at this: a torrent file can contain more than one file, organized unto subdirectories. There's no need for any encapsulation.

    Sure there is. Ignoring the way BitTorrent actually encodes the information, and assuming that somehow every file name could be stored as one byte (ignoring the obvious flaw with that), by keeping all of them at the torrent level you'd require "more than 560,000" bytes just devoted to file names. Since the general rule of thumb is to keep the actual .torrent file around 100KB, give or take, that's right out.

    Now, throwing in the way the .torrent file actually stores the list of file names, you're looking at at least 21 bytes per file. Assuming 560,000 files, that bloats the .torrent file to over 11.2MB - and that's still not realistic, because it requires every file to be less than 10 bytes in size and all of them to have empty path names. (Which is obviously not valid.)

    Throw in realistic constraints, and you're adding another 15 bytes, bringing us to a total of 36 bytes per file - bloating the .torrent to 19.2MB, just for file names.

    So, in short, the reason to place them in a ZIP file and not use the multi-file feature is because using the multiple file feature would massively bloat the .torrent file. Now the final .ZIP file has similar requirements per file in the ZIP file, but that becomes payload as part of the BitTorrent download and not something that has to be downloaded via non-BitTorrent means first.

    Finally, for an explanation of where those numbers above come from, the "smallest possible" form for a file would be:

    "d6:lengthi0e4:pathlee" (21 bytes)

    The "more realistic constraints" brings that to:

    "d6:lengthi100000e4:pathl8:0000.JPGee" (36 bytes)

    Yes, the .torrent file is essentially "plain text" although the piece hashes are stored as binary strings. It's encoded using "Bencoding" - which isn't the most compact of formats.

    --
    You are in a maze of twisty little relative jumps, all alike.
  7. Submitter should RTFA, bug was known for months by infestedsenses · · Score: 4, Informative
    From the summary:

    We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast.

    No it didn't. MySpace let this thing go on for months. From TFA:

    The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who'd caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report.

    The irony (and scandal) is that they not only failed to uphold their privacy policy despite being in the public spotlight over the last 2 years precisely for privacy issues, but that they didn't bother to acknowledge or fix this bug until a high traffic site reported on it.

    --
    parasight.de
  8. Re:Trap! by AuMatar · · Score: 3, Informative

    http://netscape.com.com/Police+blotter+Teens+prosecuted+for+racy+photos/2100-1030_3-6157857.html

    Forgive me, but I didn't want to google child porn at work.

    --
    I still have more fans than freaks. WTF is wrong with you people?