Feeds

Teen data on Myspace compromised

Hack allows 'private' entries to be made public

The Power of One eBook: Top reasons to choose HP BladeSystem

A security hole in the popular MySpace social networking site allowed users to view entries marked "private", a crucial protection for users aged under 16, according to weekend reports.

Though the site is said to have fixed the problem, it was said by news reports to have been active for months. Nobody at MySpace was immediately available for comment.

The explosion of social networking sites has caused significant worry for parents and politicians over how to protect children from sexual advances over websites. The amount of information that young people reveal about themselves coupled with the opportunities for deception by sexual predators has led to concerns that the sites can be dangerous.

Leading social networking site MySpace introduced private profiles as a security measure. Earlier this summer, MySpace owner News Corporation introduced new rules to protect teenagers.

The profile of anyone under 16 was changed so that it was automatically set to "private", a status that users could previously choose, but which was not compulsory. Users over 18 attempting to contact users under 16 now have to type in the child's actual first and last name or email address in order to initiate contact, a move designed to protect children from unsolicited advances.

A piece of code has now been revealed which users claim can allow access to private profiles. Information about the hack became widely publicised through news site Digg.com last weekend, and reports this week claim that the problem has been fixed.

There are much earlier reports of the existence of the hack, though, which suggest that profiles have been being hacked for months. A post by a user called AtariBoy on the site Geeklimit.com in April detailed a hack which claimed to access users' private profile details.

"Many myspacers use CSS [cascading style sheets] to hide their comments, friends list and blog links," wrote AtariBoy. "These elements are not deleted tho [sic] and are still available publicly to anyone. You can view them by one of two methods below."

The site was said this week to have fixed the problem, though some users of the hack reported subsequently that it still worked and private profiles were still accessible.

"In the UK, the vulnerabilities alleged could amount to a breach of the Data Protection Act," said Struan Robertson, editor of OUT-LAW.COM and a technology lawyer with Pinsent Masons.

The Data Protection Act says "appropriate technical and organisational measures" must be taken to prevent unauthorised access to personal data held by organisations.

"For any site, the technical measures that are appropriate will vary depending on the type of data held and the harm that might result from a security breach," Robertson said. "There is best practice guidance in the UK for sites used by children and, if the allegations are true, it may be that MySpace fell short of the standard expected."

The Home Office taskforce's "Good practice guidance for the moderation of interactive services for children" refers to the Data Protection Act provisions and notes: "If data systems are vulnerable to hacking, or operated by people outside the control of the service operator, there is the potential that the security of users' personal data could be at risk."

If the Act's security principle were found to have been breached, a person who suffered as a result could be entitled to sue in the UK for compensation for distress.

See: guidelines from The Home Office taskforce on child protection on the internet (35 page/191KB PDF)

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.