MySpace, Yahoo blame bad APIs for celebrity photos breach

Paris Hilton and Lindsay Lohan's private MySpace photos are all over the Internet now, thanks to a glitch in the bad APIs.

While the not-so-publicity-shy stars probably won't mind, and none of the photos are all that racy (except for the one of a fully dressed, provocatively posed Hilton in a tanning booth), there's a lesson for us all in this social network privacy flap du jour.

"Anything you upload to a public Web site is not private; it's public. Even if you think it is password protected," says Jeremiah Grossman, chief technology officer at White Hat Security, a Web application security company. "That's the bottom line."

The photos began making the rounds on Tuesday after computer technician Byron Ngo released them publicly, and gave Valleywag detailed instructions for his hack. Valleywag also has the photos here.

The problem has been fixed so don't bother trying to replicate it. But the breach resurrects the debate over whether the notion of privacy is outdated in a world where you party too much at an event and the next morning an embarrassing photo is up on your friend's Facebook page.

Valleywag blamed data portability, the concept underlying the sharing of data between social networks and other sites.

However, according to MySpace, it had nothing to do with data portability and everything to do with "deprecated APIs."

Grossman attributed it to "insufficient authorization," which he said are common on all types of Web sites, not just social-networking sites.

"MySpace and Yahoo are firmly committed to keeping all users as safe and secure as possible. Recently, MySpace and Yahoo were alerted to a vulnerability within the MySpace widget on the Yahoo mobile platform," MySpace and Yahoo said in a statement. "The functionality of the widget has currently been disabled as we work to roll out an immediate fix."

The man behind the expose' is none other than Byron Ng, a Vancouver-based computer technician who found a hole in Facebook and got to photos on founder Mark Zuckerberg's private page in March.

Ng also is credited with uncovering a digital version of most of the unreleased Harry Potter book last summer.

Ng, if you're out there, I'd love to talk to you.

[Dead Soulman]

If you're stupid enough to post stuff on the internet you don't want the world to see, then you deserve all the ridicule that may come your way. Just because a company says that the content will remain private, doesn't mean that it's guaranteed. But, considering that Lohan and Hilton are two exhibitionists and media-hungry clowns, well, they got they wanted. Attention. People forget to realize that when it comes to the internet, there's no such thing as privacy. Sooner or later that content will become public.

[Geeeeez]

You'd, "love" to talk to a guy who has never discovered anything except OLD information, OTHER PEOPLE have publicly posted... mindboggling.

"who found a hole in Facebook and got to photos on founder Mark Zuckerberg's private page in March."

I don't think so Eilnor.

http://www.maximumpc.com/article/how_you_used_to_view_private_photos_on_facebook

[Lerianis]

For goodness sakes..... frankly, why are these people upset that these pictures are getting on the internet? Frankly, my cousin was pleased as punch recently when a picture she uploaded onto her webpage was used by someone else in a photo collage of the 'most beautiful girls in America'.
It seems that there is a HUGE problem here with the stupidity of people who don't want other people to see them nude, yet upload these pictures WITHOUT PASSWORDS onto sites that sometimes, don't offer password protection of albums.

[Mergatroid Mania]

Considering the inaccurate information in the article, shouldn't it be completely pulled? At least edit the damn thing to reflect the truth of the origin of the exploit, and what a poor excuse for security they have at MySpace.

This is one reason why bloggers shouldn't be considered journalists.

[highlander2000]

You don't mess with the Lohan

[thedudis]

Lindsay and Paris are two of the biggest wastes of space on planet Earth.

[treet007]

Ng just needs to be placed in solitary confinement without any computers or Internet. That should drive him insane... He is no different than the stinkin paparazzi who exploits for profit and eventually kills someone in the process.

[MyopicVision]

You know I can understand wanting to be known through the online media and perhaps score a high paying job based on the infamy but to do it based on old information is pathetic.
I dont know who Brian Ng is but I agree ...he is a total tool. This code was out for MONTHS and no one was any wiser to it. Myspace have a problem on their hands especially as they changed the membership agreement AND have started using applications that handle real money.
These were all minor url exploits.
Not real hacks.
A hack is illegal.
URL exploits are just that. Exploits.
Hell Ive found URL exploits myself for social networking sites and when I emailed the site to tell them..they didn't really care...so as far as I'm concerned,...these sites get what they deserve with the embarrassment.
The fact is NOTHING is private on the internet.Once people realize that..they will be better off.

[mentalburner]

Celebrities and politicians don't realize that one of the reasons they have so much money and fame is because they don't have any privacy. It is one of the sacrifices of the occupation. Doctors work allot of hours and are exposed to diseases as an example. It's a part of the job. Tell them to lump it or leave it.

[private-internet]

There is a trade-off between convenience and security - a proper design system should let you keep your data to yourself and does not let your data be controlled by a third party. Current web services are geared towards public service not private service.

[benjaminstraight]

The blame game starts.