MySpace Private Pictures Leak

← Back to Stories (view on slashdot.org)

MySpace Private Pictures Leak

Posted by ScuttleMonkey on Friday January 25, 2008 @08:03AM from the if-you-don't-want-it-shared-don't-put-it-out-there dept.

Martin writes "We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net."

50 of 405 comments (clear)

You know what to do... by grub · 2008-01-25 08:05 · Score: 5, Informative

fetch!

--
Trolling is a art,
1. Re:You know what to do... by Captain+Splendid · 2008-01-25 08:12 · Score: 5, Funny
  
  Are these divided up and tagged as to the myspace user profile they originated from?
  
  Who cares? Wake me up when somebody offers up the "director's cut" of this torrent, ie only the really goofy and naked pics.
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
2. Re:You know what to do... by $RANDOMLUSER · 2008-01-25 08:14 · Score: 5, Funny
  
  Yeah. Good grief, just what I need - 17Gb of pictures of other peoples cats.
  
  --
  No folly is more costly than the folly of intolerant idealism. - Winston Churchill
3. Re:You know what to do... by carpe_noctem · 2008-01-25 08:19 · Score: 5, Funny
  
  My dog only plays fetch when I throw her sticks... this would be like throwing a sequoia log!
  
  --
  "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
4. Re:You know what to do... by JeepFanatic · 2008-01-25 08:21 · Score: 5, Informative
  
  If you read the wired interview, it says:
  DMaul: The script that I wrote uses the myspaceprivateprofile.com interface to find the images. Therefore, it uses the same criteria. From my own testing, it appeared that myspaceprivateprofile.com did not return public images from public profiles. It only returned public images from private profiles. It did not return private images from either public or private profiles.
  So ... I'm guessing the really good stuff isn't there.
5. Re:You know what to do... by gstoddart · 2008-01-25 08:35 · Score: 5, Funny
  
  Yeah. Good grief, just what I need - 17Gb of pictures of other peoples cats.
  
  But, you admit you've already got 17Gb of pictures of your own cat? :-P
  
  Cheers
  
  --
  Lost at C:>. Found at C.
6. Re:You know what to do... by Anonymous Coward · 2008-01-25 09:03 · Score: 4, Funny
  
  Yeah. Good grief, just what I need - 17Gb of pictures of other peoples cats. But, you admit you've already got 17Gb of pictures of your own cat? :-P
  
  Cheers But... But Mr. Snookems is sooo photogenic... WHO could resist taking that many snap shots!
7. Re:You know what to do... by Cecil · 2008-01-25 10:02 · Score: 4, Insightful
  
  I would recommend the National Center for Missing & Exploited Children online tip form.
  
  Yes, because teens on myspace who take nude pictures of themselves are clearly being exploited by... themselves.
  
  The insane kneejerk hysteria surrounding the ever-growing umbrella of things that unfortunately technically qualify as "child pornography" is truly something to behold.
  
  --
  Random and weird software I've written.
8. Re:You know what to do... by Kingrames · 2008-01-25 10:26 · Score: 4, Funny
  
  Why do you want to see their douchebags?
  
  --
  If you can read this, I forgot to post anonymously.
It's a diversion.. by GreggBz · 2008-01-25 08:08 · Score: 4, Insightful

It's p2p diversion... It was the RIAA. Brittney Spears or Brittney next door? Curiosity and perversion are certainly more powerful than greed.
1. Re:It's a diversion.. by FooAtWFU · 2008-01-25 08:50 · Score: 4, Funny
  
  Where's my -1, Paranoid Conspiracy Theory moderation?
  
  --
  The World Wide Web is dying. Soon, we shall have only the Internet.
Solution: by Normal+Dan · 2008-01-25 08:08 · Score: 4, Insightful

Ask 'Who cares?'
Then ask 'why?'
Then ask 'so?'
Then keep asking 'so?' until you realize it's not that big of a deal.
Problem solved.

--
A unique way to learn a language: http://languageloom.com
1. Re:Solution: by CaptainPatent · 2008-01-25 08:15 · Score: 5, Insightful
  
  Ask 'Who cares?' Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.
  Then ask 'why?' Because this has huge implications for online security.
  Then ask 'so?' So, something like this that is potentially damaging should have had much better security measures against it.
  Then keep asking 'so?' until you realize it's not that big of a deal. I'm asking... it's still a big deal
  Problem solved. I think not.
  
  --
  Well, back to rejecting software patent applications.
2. Re:Solution: by Mikya · 2008-01-25 08:21 · Score: 5, Funny
  
  So?
3. Re:Solution: by Bob9113 · 2008-01-25 08:24 · Score: 4, Insightful
  
  something like this that is potentially damaging should have had much better security measures against it.
  
  Ummm, if you store potentially damaging photos on a third-party web site that is not intended to be a secure repository, why would you expect high security?
  
  Because this has huge implications for online security.
  
  Really? I think it just shows that MySpace is not (nor is it intended to be) a high security repository.
  
  --
  Stop-Prism.org: Opt Out of Surveillance
4. Re:Solution: by sm62704 · 2008-01-25 08:40 · Score: 4, Insightful
  
  Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.
  
  Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet! There is no such thing as "posted privately on the internet". If it's REALLY something you don't want seen don't even put it in a computer CONNECTED to the internet. In fact, don't even take the damned pictures!!!
  
  Gees, if brains were dynamite some people wouldn't have enough to blow their noses. I wonder how many pics in that 17 gig file are goatse?
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
5. Re:Solution: by cuantar · 2008-01-25 09:13 · Score: 4, Funny
  
  Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.
  
  The intersection of these two sets is empty.
  
  --
  Legalize it.
6. Re:Solution: by Pendersempai · 2008-01-25 09:27 · Score: 5, Insightful
  
  Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet!
  
  Really.
  So you don't have an online interface for your credit card? You don't do online banking? You don't manage your IRA or 401K online? You don't write any emails that you wouldn't want published? You don't use SSH to access sensitive information? You don't send any instant messages that you wouldn't want published? You don't visit any websites that you wouldn't want the world to know about?
  Oh, but that stuff's all different, you say. Sure, the information is all on a server, but the server will only send it to people who have the right password! Except, the MySpace photos weren't leaked by a mole; they were leaked because the server mistakenly sent it to anyone who asked for it.
  This is a big deal, and your snide reply (essentially "don't use the internet") doesn't come close to offering a workable solution.
7. Re:Solution: by bcguitar33 · 2008-01-25 10:04 · Score: 5, Insightful
  
  We need to take this further. What about children talking on the telephone? They could be talking to pedophiles, potentially making plans to meet up. The government has got to monitor all telephone calls made by people under 18. Then again, these children could be out in public meeting pedophiles, or worse, being abused. It's the government's responsibility to monitor these minors at all times, to make sure they're not being abused. It would certainly take a lot of man-power to keep know where all these children are at all times. We'd have to resort to some sort of model of distributed responsibility. How about, we have 1-2 adults focusing on every child, and become responsible for what the kid is up to? For the sake of convenience we could just have the people who birthed each child be the ones responsible for them, and if they're not available, we could assign other ones. Any takers? This could solve all our problems!
4chan is gonna have a field day with this... by Anonymous Coward · 2008-01-25 08:09 · Score: 4, Funny

Oh lord...there are gonna be some angsty teenagers with real reasons to cry soon...
1. Re:4chan is gonna have a field day with this... by spun · 2008-01-25 08:49 · Score: 4, Insightful
  
  I thought everyone on 4chan was an angsty teenager with a real reason to cry, being that no human woman will ever touch them.
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
2. Re:4chan is gonna have a field day with this... by orclevegam · 2008-01-25 09:09 · Score: 5, Funny
  
  I thought everyone on 4chan was an angsty teenager with a real reason to cry, being that no human woman will ever touch them. Funny, a quick browsing of 4chan leads me to believe most everyone on 4chan is really a collection of cleverly written troll bots. They certainly don't seem capable of passing a turing test. You know, that would be a great experiment. Write a bot that posts random images out of a shared folder with appropriate descriptive comments, and randomly replies to other posts from a database of oft used memes and see how long before someone notices it's actually a bot. My money is on at least 2 months.
  
  --
  Curiosity was framed, Ignorance killed the cat.
Maybe it's just me... by Derek+Loev · 2008-01-25 08:13 · Score: 5, Insightful

I personally have better things to do than waste 17gb of space -- and a large amount of time -- looking through other people's pictures.
1. Re:Maybe it's just me... by MacarooMac · 2008-01-25 08:36 · Score: 4, Funny
  
  It's called a multiphasic scan or sweep and can be conducted accros multiple targets by modifying the navigational sensors to operate on a multiphasic bandwidth.
  
  --
  "He Who Dares Wins" ...or gets twenty-to-life for totaling their Bimmer on a poodle parade
Slight Tweak: Myspace Privates Leak, Pictures! by webword · 2008-01-25 08:13 · Score: 5, Funny

Title says it all...

--
How to Download YouTube Videos
Trap! by fictionpuss · 2008-01-25 08:15 · Score: 5, Insightful

No way would I touch that torrent.. all it takes is one underage myspace kid to have posted one nipple.. cue child pornography charges/public outcry/p2p filtering mandated/end game. It's the wet-dream of the **AA crowd.
1. Re:Trap! by L4m3rthanyou · 2008-01-25 08:42 · Score: 5, Insightful
  
  Actually, I think this is more of a threat to myspace itself. After all, they were hosting all of these pictures... when people discover how much kidporn is stored on myspace (I'm sure there's a significant amount of it), THEN there will be a public outcry, and no one is going to care about the people who downloaded the leaked photos. The backlash will be against myspace itself, by the "think of the children!" nutjobs.
  
  Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.
  
  --
  One of these days, I'm going to cut you into little pieces.
2. Re:Trap! by orclevegam · 2008-01-25 09:03 · Score: 4, Insightful
  
  Actually, I think this is more of a threat to myspace itself. After all, they were hosting all of these pictures... when people discover how much kidporn is stored on myspace (I'm sure there's a significant amount of it), THEN there will be a public outcry, and no one is going to care about the people who downloaded the leaked photos. The backlash will be against myspace itself, by the "think of the children!" nutjobs.
  
  Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp. This does bring up the interesting question though, of how one deals with kidporn that's being posted by the kids in the pictures. Obviously the nutjubs are going to go after whatever company is doing the hosting, but unless I'm missing something, if they're not aware of the content then all they have to do is make a good faith effort to delete anything they find, much like the case with copyright violations. Any legal experts on the laws concerned here no for sure what sort of issues this brings up?
  
  --
  Curiosity was framed, Ignorance killed the cat.
3. Re:Trap! by meringuoid · 2008-01-25 09:11 · Score: 5, Insightful
  
  This does bring up the interesting question though, of how one deals with kidporn that's being posted by the kids in the pictures.
  You charge the perpetrator with child abuse and with making and distributing indecent images of a minor. And you try them as an adult just for the glorious irony.
  
  --
  Real Daleks don't climb stairs - they level the building.
4. Re:Trap! by AuMatar · 2008-01-25 09:21 · Score: 4, Informative
  
  Prediction? Hell, its already happened.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
5. Re:Trap! by Anonymous Coward · 2008-01-25 09:36 · Score: 5, Funny
  
  I am!
  
  *fap*
  *fap*
  *fap*
  *fap*
6. Re:Trap! by afidel · 2008-01-25 09:37 · Score: 5, Insightful
  
  Yeah anyone who reads fark on a regular basis knows that kids who make home movies often get charged as adults for laws meant to protect the childish innocence. It really is very ironic and very SNAFU.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
7. Re:Trap! by MBGMorden · 2008-01-25 09:43 · Score: 5, Interesting
  
  Ironic. It's little known that parents are explicitly allowed to have nude photos of their kids as long as they are obviously not being abused and the pictures are not distributed. It keeps all the parents with the pictures of babies in the bathtub from going to jail. Kinda stupid that your parent can have a picture of you naked but this girl gets charged with child porn charges for having pictures of HERSELF.
  
  --
  "People who think they know everything are very annoying to those of us who do."-Mark Twain
8. Re:Trap! by ShieldW0lf · 2008-01-25 10:19 · Score: 4, Insightful
  
  Ironic. It's little known that parents are explicitly allowed to have nude photos of their kids as long as they are obviously not being abused and the pictures are not distributed. It keeps all the parents with the pictures of babies in the bathtub from going to jail. Kinda stupid that your parent can have a picture of you naked but this girl gets charged with child porn charges for having pictures of HERSELF.
  
  Just to play devils advocate: If we consider publishing nude photos of yourself to be pornography, why would we consider it not pornography when a young person does it?
  
  You might make the argument that child pornography should be treated differently when the perpetrator is also the child in question, but trying to say it's not pornography is nonsense.
  
  --
  -1 Uncomfortable Truth
9. Re:Trap! by cyphercell · 2008-01-25 11:09 · Score: 5, Insightful
  
  so all pictures of nude people are pornographic? I think there's a word for that world view, oh yeah, prude.
  
  --
  Under the influence of Post-Cyberpunk Gonzo Journalism
10. Re:Trap! by Mr2001 · 2008-01-25 11:26 · Score: 5, Insightful
  
  Just to play devils advocate: If we consider publishing nude photos of yourself to be pornography, why would we consider it not pornography when a young person does it? The issue isn't whether or not it's pornography, but whether it merits all the outrage that usually accompanies "child pornography".
  
  "Child pornography" is generally considered bad because in order to make it, you have to have a minor in front of your camera who's posing erotically or having sex. Since the law presumes that minors are incapable of knowing whether or not they want to pose erotically or have sex, this means that producing these photos or videos involves an act that's equivalent to rape: putting a minor in that situation without her (legally recognized) consent.
  
  In the case of a minor posting her own pictures, however, there's no third party who could be accused of putting the minor in that situation against her will. It isn't even conceivably similar to rape, because the "victim" is making all the decisions on her own - if that's analogous to rape, then so is underage masturbation, and every teenager in the world is a sex offender.
  
  --
  Visual IRC: Fast. Powerful. Free.
Private? by Eberlin · 2008-01-25 08:16 · Score: 5, Insightful

I understand the general idea of privacy...but to expect any sort of privacy by putting your pictures online onto a server out of your control isn't exactly the smartest thing to do. I say if you've voluntarily uploaded it on one of the social networks, it can't be THAT private.

I know, I know, the myspace demographic doesn't know any better.
1. Re:Private? by Ajehals · 2008-01-25 09:23 · Score: 5, Insightful
  
  The myspace 'generation' *are* supposed to be the ones using and seeing 'value' in all the weird and wonderful crap out there geared toward them, they are the ones who are supposed to be massively connected with their mobile phones, email and social networking account. They are supposed to be benefiting from a massively connected world, identifying and receiving wonderful services and consuming all those wonderful products geared toward them. They are the generation that (apparently) cannot tell real life from role playing, are emotionally and mentally damaged from playing video games and browsing the web. In short they are the generation that everyone is referring to when they scream "think of the children".
  
  We, (I refer to the /. crowd, although I may be being over simplistic) are the demographic that saw the internet evolve, have technical knowledge of how parts work and can separate out our real lives and what we want to keep private, from our on-line identities and what we wish to be public. Unfortunately we are also the generation who don't understand nor see the appeal or utility in of many of the new and wonderful social experiments going on on the web, we see the real dangers involved in using them in an inappropriate or irresponsible manner.
  
  We know the danger is from information about us being harvested, being used by future employers, insurance companies, the government, other corporates etc.. They (the 'myspace' generation) are worried about paedophiles and stalkers, whilst simultaneously being drawn to having deep personal relationships and generally being interesting (by whose standards I don't know) and pushing their personal information to anyone who will give them a linden dollar, a discount voucher or a chance to win an iPod.
  
  Or am I just getting old?
never underestimate by circletimessquare · 2008-01-25 08:21 · Score: 5, Funny

the power of bored horny teenaged males

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Can someone run porn detection on this and reseed? by Anonymous Coward · 2008-01-25 08:22 · Score: 4, Insightful

Porn-Detection Software
Looking through all the junk is going to take too long.
On the plus side by Weaselmancer · 2008-01-25 08:23 · Score: 5, Funny

Yeah. Good grief, just what I need - 17Gb of pictures of other peoples cats.
But on the plus side, you could head over to Fark and be a LOLCAT GOD.

--
Weaselmancer
rediculous.
1. Re:On the plus side by gosand · 2008-01-25 09:27 · Score: 5, Funny
  
  But on the plus side, you could head over to Fark and be a LOLCAT GOD.
  
  What was the plus side again?
  
  --
  
  My beliefs do not require that you agree with them.
2. Re:On the plus side by Jugalator · 2008-01-25 10:47 · Score: 4, Funny
  
  I agree, the advantage doesn't lie in posting this junk on Fark, but rather watching others do it! You'll learn the syntax for LOLCODE in the process! Think of it as a free programming course.
  
  --
  Beware: In C++, your friends can see your privates!
Script to upload them to HotOrNot by xmuskrat · 2008-01-25 08:26 · Score: 5, Funny

Somebody is going to write it.

--
activestudios web design
Gee Thanks by TI-8477 · 2008-01-25 08:35 · Score: 4, Insightful

By covering this story, Slashdot has exponentially accelerated the spread of these images, and the number of seeders.
Re:One of the first rules on the internet? by MarkGriz · 2008-01-25 09:04 · Score: 4, Funny

"I thought one of the first rules on the internet was that anything you put out there can fall into the wrong hands / become public?"

No, the first rule of the internet is we don't talk about the internet.

Oh crap...

--
Beauty is in the eye of the beerholder.
I've looked. Yaaaaawn. by jridley · 2008-01-25 09:28 · Score: 5, Informative

I downloaded the first zip, which is the first GB of images. I unzipped it, and I looked at the first 4500 images before falling asleep. 999 out of 1000 are crappy cellphone pics of ugly people drinking a beer and flipping off the camera, or vacation pics, or pics of someone's crappy car, or just simply snapshots of people (the vast majority).
So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.
Re:Dueling compression algorithms by _xeno_ · 2008-01-25 09:50 · Score: 5, Informative

In case you're new at this: a torrent file can contain more than one file, organized unto subdirectories. There's no need for any encapsulation.
Sure there is. Ignoring the way BitTorrent actually encodes the information, and assuming that somehow every file name could be stored as one byte (ignoring the obvious flaw with that), by keeping all of them at the torrent level you'd require "more than 560,000" bytes just devoted to file names. Since the general rule of thumb is to keep the actual .torrent file around 100KB, give or take, that's right out.

Now, throwing in the way the .torrent file actually stores the list of file names, you're looking at at least 21 bytes per file. Assuming 560,000 files, that bloats the .torrent file to over 11.2MB - and that's still not realistic, because it requires every file to be less than 10 bytes in size and all of them to have empty path names. (Which is obviously not valid.)

Throw in realistic constraints, and you're adding another 15 bytes, bringing us to a total of 36 bytes per file - bloating the .torrent to 19.2MB, just for file names.

So, in short, the reason to place them in a ZIP file and not use the multi-file feature is because using the multiple file feature would massively bloat the .torrent file. Now the final .ZIP file has similar requirements per file in the ZIP file, but that becomes payload as part of the BitTorrent download and not something that has to be downloaded via non-BitTorrent means first.

Finally, for an explanation of where those numbers above come from, the "smallest possible" form for a file would be:

"d6:lengthi0e4:pathlee" (21 bytes)

The "more realistic constraints" brings that to:

"d6:lengthi100000e4:pathl8:0000.JPGee" (36 bytes)

Yes, the .torrent file is essentially "plain text" although the piece hashes are stored as binary strings. It's encoded using "Bencoding" - which isn't the most compact of formats.

--
You are in a maze of twisty little relative jumps, all alike.
Re:Dueling compression algorithms by syukton · 2008-01-25 09:51 · Score: 4, Interesting

Those multiple .RAR files most likely originated on Usenet, where corruption-resistance is very important (indeed, the .RAR files are often accompanied by .PAR parity files as well).

The .torrent was probably just created from a usenet download, omitting the .PAR files (which are unnecessary when using Bittorrent).

--
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
Submitter should RTFA, bug was known for months by infestedsenses · 2008-01-25 10:19 · Score: 4, Informative

From the summary:
We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast.

No it didn't. MySpace let this thing go on for months. From TFA:

The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who'd caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report.

The irony (and scandal) is that they not only failed to uphold their privacy policy despite being in the public spotlight over the last 2 years precisely for privacy issues, but that they didn't bother to acknowledge or fix this bug until a high traffic site reported on it.

--
parasight.de