As you might have read on my blog, I recently reported a security issue to MySpace. Instead of getting a "thank you for informing us of this problem" (which was all I wanted... I was aiming for MySpace to make their site safer, not for any publicity or anything :P), they deleted my account. The security hole I reported was patched though, so I guess that's good. I'm still annoyed at the deletion though. All my test accounts got deleted, but suprisingly my music account wasn't.

Anyways, I've found another security hole today. Not another XSS hole, this is a different security hole with some privacy implications. So, the way that I see it, I have a few options regarding what I can do at this point:

  1. Do "the right thing" and report it to them again. Probably getting my remaining accounts deleted in the process (I have a new personal profile, and my music profile that wasn't deleted).
  2. Tell someone else and get them to report it on my behalf.
  3. Ignore it and hope they fix it themselves.
  4. Post it to a security/"hackers" website.

Obviously, the last one is not something I'd usually do, I'm just not that type of person. However, if someone were to do something like that, assuming it's posted anonymously, nothing bad would happen. So, the thing that's the most "correct" (reporting it to them) would get punished (as my previous reported security hole showed), whereas the thing that's "wrong" (posting it to a security site) wouldn't. Isn't it obvious what most people would do? How funny.

— Daniel

Short URL for sharing: https://d.sb/B1q. This entry was posted on 8th February 2009 and is filed under MySpace. You can leave a comment if you'd like to, or subscribe to the RSS feed to keep up-to-date with all my latest blog posts!

Comments

  1. Avatar for stubbers stubbers said:

    Paybacks a bitch, submit it directly to security vuln websites!!

  2. Avatar for wasiflaeeq wasiflaeeq said:

    Give it to me :) just kidding :D

    1. Avatar for Daniel15 Daniel15 said:

      Haha, they fixed the security hole :P

  3. Avatar for John Doe John Doe said:

    Hey, do you think you could possibly give me the email you were provided? I wish to report a vulnerability to them as well and I neither own a myspace account nor do I want to wait for a blog post to be noticed.

    1. Avatar for Daniel15 Daniel15 said:

      Try security.enforcement@myspace.com, it's what they gave me back in 2009. Note that it might have changed since then.