=?utf-8?q?Privacy_flaw_exposes_Paris_Hilton_and_Lindsay_Lo?= =?utf-8?q?han=E2=80=99s_private_MySpace_photos_?=

=?utf-8?q?Privacy_flaw_exposes_Paris_Hilton_and_Lindsay_Lo?= =?utf-8?q?han=E2=80=99s_private_MySpace_photos_?=
=?utf-8?q?Privacy_flaw_exposes_Paris_Hilton_and_Lindsay_Lo?= =?utf-8?q?han=E2=80=99s_private_MySpace_photos_?=

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Dancho Danchev
Zero Day
June 4th, 2008

The recently introduced data availability initiative at MySpace allowing 
everyone to share their profile data with otherParis Hilton and Lindsay 
Lohan=E2=80=99s private MySpace photos community and social networking sites 
across the Web, has just suffered its first major privacy flaw exposing 
the private photos of Paris Hilton and Lindsay Lohan, prompting Yahoo 
and MySpace to disable the data availability between the services until 
they fix the flaw:

     Pictures of Paris Hilton and Lindsay Lohan from private MySpace 
     profiles can be seen by anyone on the Internet, thanks to a flaw in 
     a system that helps the social-networking site share information 
     with other Web sites. The incident underscores a new challenge for 
     businesses: Security becomes a multi-front challenge once you start 
     sharing information outside your walls.

     Byron Ng =E2=80=94 a computer technician who earlier this year found a way 
     to access Paris Hilton=E2=80=99s Facebook page =E2=80=94 walked the tech-gossip 
     blog Valleywag through a 15-step process that allows people to see 
     supposedly-private pictures and other information by first logging 
     into Yahoo, which is one of the sites that shares information with 

 With Paris Hilton=E2=80=99s T-Mobile Sidekick account hacked two years ago 
(Hilton=E2=80=99s mailbox; Hilton=E2=80=99s contact list; Hilton=E2=80=99s photos), followed by 
her private Facebook private photos exposed last month, it=E2=80=99s becoming a 
rather common event to demonstrate a major privacy exposing leak or a 
security flaw by testing it on celebrities with the idea to attract as 
much attention as possible. All of these hacks wouldn=E2=80=99t be possible if 
their =E2=80=9Cprivacy through obscurity=E2=80=9D MySpace profiles weren=E2=80=99t a public 
secret. For instance Paris Hilton=E2=80=99s private profile 
( and Lindsay Lohan=E2=80=99s profile 
( have already been tracked down by fans, 
therefore positioning them on the top of the target list for testing of 

From another perspective, celebrity hacking is a win-win-win situation 
for both the celebrities enjoying some publicity, the vulnerable 
services that would provide a live fix for the millions of their users, 
and the celebrity hacker for, well, being the celebrity hacker. It=E2=80=99s 
also a great way to demonstrate how one service is undermining the 
already set privacy preferences by another service, as in this case you 
have an integration flaw at Yahoo undermining the privacy preferences 
set on a MySpace profile.


Dancho Danchev is an independent security consultant and cyber threats 
analyst, with extensive experience in open source intelligence 
gathering, malware and E-crime incident response. Dancho is also 
involved in business development, marketing research and competitive 
intelligence as an independent contractor. He's been an active security 
blogger since 2007, and maintains a popular security blog sharing 
real-time threats intelligence data with the rest of the community on a 
daily basis.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. 

Site design & layout copyright © 1986-2015 CodeGods