I have never been a fan of MySpace but it just dissapoints me when I see such a popular site suck so bad at security. There have been lots of security problems with myspace in the past and I commend the developers for quickly resolving them. But something just irritates me.
I visit a lot of sites that require encryption just like you probably do. Just about every one of these sites use some type of encryption to protect your login information. And I dont just mean sites like banks and Amazon. Google mail and Yahoo Mail, for example, make you sign in using SSL by redirecting you to a secure HTTPS page. This practice makes it very difficult if not impossible for that casual hacker to get your info. Facebook even encrypts your password by somehow using AJAX and SSL in the login box even though the rest of their signon page does not use SSL. Again, Facebook is putting towards a little bit of effort to protect your login info by encrypting it.
MySpace on the other hand does the opposite. By opposite I mean they do nothing!! Their entire site is plain-text and so is their login! They make zero effort to protect your login with encryption or SSL or anything like that. I know this because I was able to grab my own MySpace username and password using some simple network sniffing tools. These tools are free and very easy to use. Someone asked me “are you sure they just didnt have a sign-on box that uses ssl?” I told him “my sniffer does not lie!”
Now this isnt that big of a deal really. Or is it? This complete disregard to basic security isnt going to give all my friends free poker chips, or invite a bunch of random people to be my friend and see my hot pics. It just wouldnt really be that big of a deal if that happend. I am of course referring to those pesky “myspace viruses” that many people seem to get. The only real issue is that if you use MySpace in a public place you could get your password jacked. By public place I mean a coffee shop, hotel, airport, college campus, or anywhere that has wireless interenet access. All that it takes is some newb like me to open up one of my many wireless sniffing tools, save the packet capture in a pcap format and open it with Cain. I now have every password, including myspace passwords, that has been entered since I started my capture. Well, not every password, just the plain-text ones such as myspace.
Ok, so you are saying to yourself something like “whooptie-doo someone could get my MySpace password and rearange my favorite friends and post comments as me. Who cares?” Unfortunately the problem is much larger than that for many people. Think about how many sites you personally go to. Now ask yourself if you have a different username and password for EACH site?? I didnt think so. So now is your not-so-precious myspace also the same password to your Facebook, email, bank account, work email, online shopping sites, turbotax, what else? Scary isnt it?? Read my tips below, especially number 3!!
I got criticized from a security ‘expert’ once for exposing something and not providing a solution. So here is my attempt at a solution:
- MySpace: Fix your shizzle! I think the quickest way for a security vulnerability to be fixed is by making it public. If Facebook can do it, why cant MySpace? Is it a money issue? Laziness? Stupidity?
- People: Be careful what sites you visit in public places. For example I NEVER, I mean NEVER login to ANYTHING when I am at a hotel, wireless or not. Wireless is worse because everyone can see what you are doing. But what if its wired? Well, do you trust the people at the hotel? Who’s to say that the hotel clerk, making pennies an hour, isnt studying to be some kind of IT guy. He/she might know a thing or two about computers. If he/she had the right tools your stuff could get jacked.
- Dont use the same password for each site. I know its hard, but try to mix it up as much as you can. I will tell you a story that might scare you into better password security. I once operated a website which required people to login to do anything useful. One the visitors would create an account their password would be stored in a database in plain text. I decided to take a looksie one day and try one of the accounts on a few other sites. The sad thing is that many of the credentials on my site worked on various other sites. Just think to yourself about that forum, usergroup, poker club, whatever other site that you go to that isnt run by a corporation or might me shady. Who is their IT guy? Who designed the site? Im not saying that anyone is doing anything malicious but the site could be run by someone that gets bored like I did one day.