As you might have read on my blog, I recently reported a security issue to MySpace. Instead of getting a "thank you for informing us of this problem" (which was all I wanted... I was aiming for MySpace to make their site safer, not for any publicity or anything :P), they deleted my account. The security hole I reported was patched though, so I guess that's good. I'm still annoyed at the deletion though. All my test accounts got deleted, but suprisingly my music account wasn't.
Anyways, I've found another security hole today. Not another XSS hole, this is a different security hole with some privacy implications. So, the way that I see it, I have a few options regarding what I can do at this point:
Do "the right thing" and report it to them again. Probably getting my remaining accounts deleted in the process (I have a new personal profile, and my music profile that wasn't deleted).
Tell someone else and get them to report it on my behalf.
Ignore it and hope they fix it themselves.
Post it to a security/"hackers" website.
Obviously, the last one is not something I'd usually do, I'm just not that type of person. However, if someone were to do something like that, assuming it's posted anonymously, nothing bad would happen. So, the thing that's the most "correct" (reporting it to them) would get punished (as my previous reported security hole showed), whereas the thing that's "wrong" (posting it to a security site) wouldn't. Isn't it obvious what most people would do? How funny.
A while back, I reported a security problem to MySpace. Being a nice person, I thought I'd email them and wait for a reply before telling anyone else (I thought I was the only one to find this problem, but it appears a few others knew of it too. I didn't know this until later). I have reported a few problems to MySpace in the past, and they usually took around two weeks or so to reply. Sure, their reply was something generic, but it was a reply at least. Anyways, back to this story. So, after writing to them, I waited two weeks. Didn't hear anything back from them. A month, still didn't hear anything. So I thought that as a month had passed, I may as well report the security hole to a security site. I wrote to xssed.com, and after a small wait they published an article on it.
Today, I try to log in to my account, and it didn't work. Interesting, I was sure I was typing the correct password. I go to use the "Forgot your password?", and it says my email is invalid. So that's it, they've deleted my account. For me, MySpace was a way to keep in touch with old friends I otherwise wouldn't be able to talk to. And now they've deleted my account. So, they deleted my account for reporting a security issue and showing them a harmless example, yet people that actively try to attack MySpace accounts still have active accounts? This makes no sense, if anything they should be thanking me for finding the bug on their site, and being nice enough not to do anything evil with it. It's totally unfair. Just before deleting the account, I had 467 friends, 1991 comments, 2300 messages, and just over 19000 profile views. I have no clue what's going to happen to my Windows Live Messenger MySpace app, an application that now has around 51,000 users. Whatever, I'm done with MySpace now. I made a new account but don't really care about it any more. Add me on Facebook.
Oh, and http://www.myspace.com/daniel_1515 was my old account. In case anyone searches for it in Google.
Update 2010-03-28: MySpaceTools.ws is no longer available, due to MySpace blocking my server from accessing it.
Edit: This has been moved to MySpaceTools.ws. Please email errors [-at-] myspacetools.ws for support, do not comment here.
Based on a blog entry I read about backing up your profile, I decided to try and write a script that would grab your entire friend list so you can have a local copy of it. It was kinda hard to do, but I've managed to write a relatively simple script that will grab your entire friends list, and display it on the one page. It does so by grabbing each page in the "View All Friends" section, and essentially merges them all together. What you end up with is one page that contains your entire friends list.
Take a look at [broken link removed] for the script so far. Note that it will currently not work on private profiles (although I'm working on a fix for that). For now, if you have a private profile, you must temporarily set your profile to public in order to export the friends list.
You can easily save the page it generates (via File ? Save As...) and keep it as a local copy of your friends list. Yes, I know how it displays its output is kinda ugly at the moment, but I'm a coder, not a designer :P
Hope it's useful for someone. :)
I originally posted this to the MySpace Forums, but thought I should also post it here