Forgot your password?
typodupeerror
Security The Internet

MySpace Private Pictures Leak 405

Posted by ScuttleMonkey
from the if-you-don't-want-it-shared-don't-put-it-out-there dept.
Martin writes "We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast. Unfortunately though (for MySpace) someone did use an automated script to run over 44,000 profiles that downloaded all private pictures which resulted in a 17 Gigabyte zip file with more than 560,000 pictures. The zip file is now showing up on popular torrent sites across the net."
This discussion has been archived. No new comments can be posted.

MySpace Private Pictures Leak

Comments Filter:
  • by grub (11606) <slashdot@grub.net> on Friday January 25, 2008 @04:05PM (#22185904) Homepage Journal

    fetch! [thepiratebay.org]
    • Trap! (Score:5, Insightful)

      by fictionpuss (1136565) on Friday January 25, 2008 @04:15PM (#22186044)
      No way would I touch that torrent.. all it takes is one underage myspace kid to have posted one nipple.. cue child pornography charges/public outcry/p2p filtering mandated/end game. It's the wet-dream of the **AA crowd.
      • Re:Trap! (Score:5, Insightful)

        by L4m3rthanyou (1015323) on Friday January 25, 2008 @04:42PM (#22186452)
        Actually, I think this is more of a threat to myspace itself. After all, they were hosting all of these pictures... when people discover how much kidporn is stored on myspace (I'm sure there's a significant amount of it), THEN there will be a public outcry, and no one is going to care about the people who downloaded the leaked photos. The backlash will be against myspace itself, by the "think of the children!" nutjobs.

        Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.
        • Re:Trap! (Score:5, Insightful)

          by orclevegam (940336) on Friday January 25, 2008 @05:03PM (#22186778) Journal

          Actually, I think this is more of a threat to myspace itself. After all, they were hosting all of these pictures... when people discover how much kidporn is stored on myspace (I'm sure there's a significant amount of it), THEN there will be a public outcry, and no one is going to care about the people who downloaded the leaked photos. The backlash will be against myspace itself, by the "think of the children!" nutjobs.

          Figures... and they just put further measures in place to attempt to "protect" children from themselves. Oh well, I have a hard time feeling sorry for myspace since (a) it's myspace and (b) it's owned by News Corp.
          This does bring up the interesting question though, of how one deals with kidporn that's being posted by the kids in the pictures. Obviously the nutjubs are going to go after whatever company is doing the hosting, but unless I'm missing something, if they're not aware of the content then all they have to do is make a good faith effort to delete anything they find, much like the case with copyright violations. Any legal experts on the laws concerned here no for sure what sort of issues this brings up?
          • Re:Trap! (Score:5, Insightful)

            by meringuoid (568297) on Friday January 25, 2008 @05:11PM (#22186918)
            This does bring up the interesting question though, of how one deals with kidporn that's being posted by the kids in the pictures.

            You charge the perpetrator with child abuse and with making and distributing indecent images of a minor. And you try them as an adult just for the glorious irony.

      • Re: (Score:3, Interesting)

        by Firehed (942385)
        I know the legal answer is yes, but should it really count if they take and post the pics themselves?
      • Re: (Score:3, Interesting)

        by aminorex (141494)
        Do you mean that Rupert Murdock is distributing c.p.?
    • Re: (Score:3, Insightful)

      by wiggles (30088)
      And risk getting busted for KP? How many idiot high school kids post naughty pics of themselves on there?
    • by carpe_noctem (457178) on Friday January 25, 2008 @04:19PM (#22186116) Homepage Journal
      My dog only plays fetch when I throw her sticks... this would be like throwing a sequoia log!
      • Re: (Score:3, Informative)

        by ArsenneLupin (766289)
        Unusually intelligent dog.

        Most other dogs attempt to fetch no matter what you throw: sticks that are obviously too heavy to fetch, snowballs, small objects which you only pretend to throw but actually hide inside your sleeve...

        Lotsa phun...

    • by xmuskrat (613243) on Friday January 25, 2008 @04:26PM (#22186202) Homepage
      Somebody is going to write it.
    • Re: (Score:2, Funny)

      by Big Nothing (229456)
      Watch out, though, my goatse-pix is in there somewhere.

    • Gee Thanks (Score:4, Insightful)

      by TI-8477 (1105165) on Friday January 25, 2008 @04:35PM (#22186340)
      By covering this story, Slashdot has exponentially accelerated the spread of these images, and the number of seeders.
  • It's a diversion.. (Score:5, Insightful)

    by GreggBz (777373) on Friday January 25, 2008 @04:08PM (#22185944) Homepage
    It's p2p diversion... It was the RIAA. Brittney Spears or Brittney next door? Curiosity and perversion are certainly more powerful than greed.
  • Solution: (Score:5, Insightful)

    by Normal Dan (1053064) on Friday January 25, 2008 @04:08PM (#22185948)
    Ask 'Who cares?'
    Then ask 'why?'
    Then ask 'so?'
    Then keep asking 'so?' until you realize it's not that big of a deal.
    Problem solved.
    • Re:Solution: (Score:5, Insightful)

      by CaptainPatent (1087643) on Friday January 25, 2008 @04:15PM (#22186046) Journal

      Ask 'Who cares?'
      Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.

      Then ask 'why?'
      Because this has huge implications for online security.

      Then ask 'so?'
      So, something like this that is potentially damaging should have had much better security measures against it.

      Then keep asking 'so?' until you realize it's not that big of a deal.
      I'm asking... it's still a big deal

      Problem solved.
      I think not.
      • by Mikya (901578) <mikyathemad@CHICAGOgmail.com minus city> on Friday January 25, 2008 @04:21PM (#22186140)
        So?
      • Re:Solution: (Score:5, Insightful)

        by Bob9113 (14996) on Friday January 25, 2008 @04:24PM (#22186180) Homepage
        something like this that is potentially damaging should have had much better security measures against it.

        Ummm, if you store potentially damaging photos on a third-party web site that is not intended to be a secure repository, why would you expect high security?

        Because this has huge implications for online security.

        Really? I think it just shows that MySpace is not (nor is it intended to be) a high security repository.
        • Re: (Score:3, Insightful)

          by Anonymous Coward
          The site is also directed to teens and pre-teens.
          Do you really think they have the common sense to know that?
          • Re: (Score:3, Insightful)

            by Aphex Junkie (633436)
            They should, assuming that all the "Internet Safety" classes those hysterical moms created are actually doing their job. I often hear: "Do not give out personal information online.". How much more personal can you get than a photo (a nude photo especially)?
        • Re: (Score:3, Interesting)

          by mstahl (701501)

          Really? I think it just shows that MySpace is not (nor is it intended to be) a high security repository.

          With underage kids able to post whatever photos they want without moderation, it needs to be, though. If myspace can't hold their shit together with this then they're going to either have to start moderating photos somehow, start verifying ages somehow, or not allow youngin's to join at all. I doubt any of those is particularly palatable with them, but really this is just a consequence of appealing to the super-young crowd anyway. It's become a haven for all manner of shadiness.

          • Re:Solution: (Score:4, Insightful)

            by Bob9113 (14996) on Friday January 25, 2008 @05:29PM (#22187152) Homepage
            With underage kids able to post whatever photos they want without moderation, it needs to be [high security], though.

            No, it does not. It is the job of the parents to provide moderation. It is not my job, my company's job (though I don't work for MySpace), nor my government's job to parent someone else's children. If we can have cars traveling down streets at high speed without child restraint systems to keep children from walking into traffic, we can damned well expect parents to keep their kids safe online.
            • Re: (Score:3, Insightful)

              by mstahl (701501)

              That's not really what I'm saying. You're already given the fact that kids are posting god knows what online, whether parents moderate it or not (and I agree with you: they should). Given that, whatever it is they've got up there be it really sleazy or not needs to be kept away from pedophiles and other shady characters anyway. The point I was making is that there are far too many users, far too many photos, for all of them to be looked over before they're made public. There's a reason profiles of children

              • Re:Solution: (Score:5, Insightful)

                by bcguitar33 (1001772) on Friday January 25, 2008 @06:04PM (#22187578)
                We need to take this further. What about children talking on the telephone? They could be talking to pedophiles, potentially making plans to meet up. The government has got to monitor all telephone calls made by people under 18. Then again, these children could be out in public meeting pedophiles, or worse, being abused. It's the government's responsibility to monitor these minors at all times, to make sure they're not being abused. It would certainly take a lot of man-power to keep know where all these children are at all times. We'd have to resort to some sort of model of distributed responsibility. How about, we have 1-2 adults focusing on every child, and become responsible for what the kid is up to? For the sake of convenience we could just have the people who birthed each child be the ones responsible for them, and if they're not available, we could assign other ones. Any takers? This could solve all our problems!
              • Re:Solution: (Score:4, Insightful)

                by torkus (1133985) on Friday January 25, 2008 @07:27PM (#22188452)
                "The government's job is to protect the common good, which includes keeping children safe from predators"

                Who defines common good? Who defines what level of 'protection' is appropriate or necessary? Sorry, but i disagree with you. It is the job of the *PARENTS* to keep children safe. No one else unless they agree to take the responsibility. i.e. you hire a babysitter, school, or other activities intended specifically for children. Even then, the ultimate responsibility still falls back on the parents. Check out the daycare. Babysitter isn't a pothead?

                It's not myspace's fault if their site is mis-used by children. They make a reasonable effort to protect children on their site. There is NO guarantee of ANYTHING (read the 20 page TOS/disclaimer). Just like gun makers aren't responsible for gang shootings, myspace isn't responsible if someone uploads KP.
      • by Animaether (411575) on Friday January 25, 2008 @04:31PM (#22186302) Journal
        "Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see."

        I thought one of the first rules on the internet was that anything you put out there can fall into the wrong hands / become public?

        I certainly wouldn't trust MySpace with personal affairs - if not because of technical glitches / hackers, then because of a disgruntled employee who decides offering the entire database up is so much more rewarding than going postal.

        Though the whole idea of using MySpace - a site where everybody openly shares information about themselves.. that's the whole point, after all - for *anything* private at all sounds ridiculous to me in its very premise.

        Just my 2cts.. I do feel sorry for those who are/will be affected, especially in the days to come as the juicier bits are filtered out and plastered all over the web and into youtube videos for truly everybody to see, as even though my opinion is that there's no reasonable expectation for true privacy on those sites, that doesn't mean they asked for some stupid hacker and a scriptkiddie to go running amok with it.
      • Re:Solution: (Score:4, Insightful)

        by sm62704 (957197) on Friday January 25, 2008 @04:40PM (#22186436) Journal
        Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.

        Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet! There is no such thing as "posted privately on the internet". If it's REALLY something you don't want seen don't even put it in a computer CONNECTED to the internet. In fact, don't even take the damned pictures!!!

        Gees, if brains were dynamite some people wouldn't have enough to blow their noses. I wonder how many pics in that 17 gig file are goatse?
        • Re:Solution: (Score:5, Insightful)

          by Pendersempai (625351) on Friday January 25, 2008 @05:27PM (#22187120)

          Rule #1 of the internet: If you don't want anyone to see something, don't fucking put it it on the internet!

          Really.

          So you don't have an online interface for your credit card? You don't do online banking? You don't manage your IRA or 401K online? You don't write any emails that you wouldn't want published? You don't use SSH to access sensitive information? You don't send any instant messages that you wouldn't want published? You don't visit any websites that you wouldn't want the world to know about?

          Oh, but that stuff's all different, you say. Sure, the information is all on a server, but the server will only send it to people who have the right password! Except, the MySpace photos weren't leaked by a mole; they were leaked because the server mistakenly sent it to anyone who asked for it.

          This is a big deal, and your snide reply (essentially "don't use the internet") doesn't come close to offering a workable solution.

      • by cuantar (897695) on Friday January 25, 2008 @05:13PM (#22186940) Homepage
        Um, Anybody concerned with internet privacy along with everybody who had a myspace account with pictures posted privately they did not intend the public to see.

        The intersection of these two sets is empty.
  • by Anonymous Coward on Friday January 25, 2008 @04:09PM (#22185958)
    Oh lord...there are gonna be some angsty teenagers with real reasons to cry soon...
  • by Derek Loev (1050412) on Friday January 25, 2008 @04:13PM (#22186002)
    I personally have better things to do than waste 17gb of space -- and a large amount of time -- looking through other people's pictures.
  • by webword (82711) on Friday January 25, 2008 @04:13PM (#22186008) Homepage
    Title says it all...
  • Private? (Score:5, Insightful)

    by Eberlin (570874) on Friday January 25, 2008 @04:16PM (#22186056) Homepage
    I understand the general idea of privacy...but to expect any sort of privacy by putting your pictures online onto a server out of your control isn't exactly the smartest thing to do. I say if you've voluntarily uploaded it on one of the social networks, it can't be THAT private.

    I know, I know, the myspace demographic doesn't know any better.
    • by Basehart (633304)
      "I know, I know, the myspace demographic doesn't know any better."

      They've got more important things to do, like buy $150 HD-DVD players from Wal-Mart.
  • Is there anything especially interesting in the batch?
  • Misplaced Trust (Score:3, Insightful)

    by Dragonshed (206590) on Friday January 25, 2008 @04:20PM (#22186122)
    Although I do think people should have a reasonable expectation of privacy when marking/tagging pictures as private though services like MySpace, I think it's a risk anytime you upload a picture or document or anything else to any computer that isn't physically your own property.

    If anyone was actually exposed by this, it's their own fault.
    • Re: (Score:3, Insightful)

      by LWATCDR (28044)
      Imagine that. You upload pictures to someone server and have little to no control who downloads them.
      Top it off with the fact that MySpace really seem to be pretty poorly written to start with and it is no big shock.
      What I don't get is how they didn't notice this one IP address sucking down this much data.
      I guess they don't look at logs.
      • Re: (Score:3, Funny)

        by caluml (551744)

        I guess they don't look at logs.
        I would imagine that tail -f /var/log/apache/access_log scrolls past pretty quickly... :)
      • Re: (Score:3, Insightful)

        by griffjon (14945)
        And from TFA: "...an automated script to run nearly 44,000 MySpace user profiles through one of the ad-supported sites, MySpacePrivateProfile.com -- a process he says took about 94 hours"

        uh... seriously? Did no one notice a huge spike of requests for only images from one IP, over the course of almost four days?

        Though I guess this seems to be just the most egregious violation of this hole (any double entendre based on the potential content of said pictures is unintentional); as "The MySpace hole surfaced la
    • Re: (Score:3, Insightful)

      by Belial6 (794905)
      I know you are not the only one saying this, but really... At some point you are trusting third parties with your data. Just because you physically own the computer doesn't mean that your data is even close to being secure. We are specifically talking about pictures here. Even if you trust Microsoft, who has shown that they believe copyright is only to be used to their benefit, you also have to trust the phone manufacturers, as well as trust the employees of every driver producer you install drivers from
  • the power of bored horny teenaged males
  • by Anonymous Coward on Friday January 25, 2008 @04:22PM (#22186154)
    Porn-Detection Software [yangsky.com]

    Looking through all the junk is going to take too long.

  • by snarfies (115214)
    If you want to keep something "private," DO NOT PUT IT ON THE INTERNET.
  • huh (Score:3, Funny)

    by mooreti1 (1123363) on Friday January 25, 2008 @04:38PM (#22186412)
    Wow, 17 gbs of pubescent girls doing the "Blue Steel" face. What a mind numbingly waste of bandwidth and time.
    • Re: (Score:3, Funny)

      by Chrutil (732561)
      >>Wow, 17 gbs of pubescent girls doing the "Blue Steel" face.

      Well, some of them totally nailed the "Magnum".
  • by jridley (9305) on Friday January 25, 2008 @05:28PM (#22187132)
    I downloaded the first zip, which is the first GB of images. I unzipped it, and I looked at the first 4500 images before falling asleep. 999 out of 1000 are crappy cellphone pics of ugly people drinking a beer and flipping off the camera, or vacation pics, or pics of someone's crappy car, or just simply snapshots of people (the vast majority).
    So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.
    • I found exactly zero images that I think anyone would give a crap about.
      One could say the same thing about the photos taken by Google's street view. But some people somewhere found time to find that one picture of the girl with the thong getting into her car.

      Just watch. Queue the countdown.

    • by inviolet (797804) <slashdot@ideasma ... g minus caffeine> on Friday January 25, 2008 @07:44PM (#22188632) Journal

      So far out of 4500 images, I found exactly zero images that I think anyone would give a crap about. I'm not even sure why the vast majority of them are even bothered marking private; nobody would care about them at all.

      It is done for the same reason women, including me, enjoy fretting about rape: they're flattering themselves.

      One thing the internet's sheer size teaches you: you are just another nobody, who'd have to dig deep to find some trait that is simultaneously unique and valuable. On the one hand this is a Good Thing, because it blasts from Earth forever the notion that one might be a freak in some way. On the other hand, now we have to struggle to differentiate ourselves, even in our own minds.

  • by TheNinjaroach (878876) on Friday January 25, 2008 @05:30PM (#22187166)
    Myspace appears to use a static content server that does no validation of who you are before returning JPGs.

    When not working or browsing Slashdot, a friend and I will exchange URLs to profile pics of "interesting" looking women. If the profile is private, the URL to the private JPG is not protected and we would exchange those instead. I haven't spent any time trying to find a pattern in the seemingly-random JPG names, so it appears difficult to pull the private images of any one person, but in general everyone's pics are available if you know the URL.
    • Re: (Score:3, Interesting)

      by Bri3D (584578)
      Yes. This is how MySpace, Facebook, Photobucket, etc. are designed. It'd be very database-intensive and difficult to handle sessions/permissions every single time someone requested a static image.
      It's not a big deal in the case of MySpace and Facebook; the images are randomly-enough named that I don't think anyone's figured out the scheme (if there is one). Basically all it does is let you and your friend trade images of people one of you already knows, which isn't too bad considering that anyone who posts
  • by infestedsenses (699259) on Friday January 25, 2008 @06:19PM (#22187706) Homepage
    From the summary:

    We all heard about the MySpace vulnerability that allowed everyone to access pictures that have been set to private at MySpace. That vulnerability got closed down pretty fast.

    No it didn't. MySpace let this thing go on for months. From TFA:

    The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who'd caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report.

    The irony (and scandal) is that they not only failed to uphold their privacy policy despite being in the public spotlight over the last 2 years precisely for privacy issues, but that they didn't bother to acknowledge or fix this bug until a high traffic site reported on it.

"We learn from history that we learn nothing from history." -- George Bernard Shaw

Working...