Origin:
http://www.wired.com/politics/security/news/2008/01/myspace_torrent

A 17-gigabyte file purporting to contain more than half a million images lifted from private MySpace profiles has shown up on BitTorrent, potentially making it the biggest privacy breach yet on the top social networking site.

The creator of the file says he compiled the photos earlier this month using the MySpace security hole that Wired News reported on last week. That hole, still unacknowledged by the News Corporation-owned site, allowed voyeurs to peek inside the photo galleries of some MySpace users who had set their profiles to "private," despite MySpace's assurances that such images could only be seen by people on a user's friends' list.

"I think the greatest motivator was simply to prove that it could be done," file creator "DMaul" says in an e-mail interview. "I made it public that I was saving these images. However, I am certain there are mischievous individuals using these hacks for nefarious purposes."

The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who'd caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report.

By then, DMaul, a denizen of the online forum TribalWar.com who declined to reveal his name, used an automated script to run nearly 44,000 MySpace user profiles through one of the ad-supported sites, MySpacePrivateProfile.com -- a process he says took about 94 hours. He rolled those images into a single file and seeded it to The Pirate Bay, a popular BitTorrent tracking site, on Sunday, advertising it as "pictures taken exclusively from private profiles."

Despite the language, the script DMaul posted to TribalWar does not appear to discriminate between public and private profiles, making it likely that many of the photos were intended to be public. The script cycled through MySpace users sequentially by MySpace Friend ID number, and did not target users of a particular age group.

Even with some public photos in the mix, the haul represents a significant breach that affects users under 16 -- whose profiles are automatically set to private -- more than older users who must opt-in to the privacy option.

As of Wednesday morning, The Pirate Bay showed two users seeding the file, and another 40 downloading it. One commenter complained that the download could take "weeks or months" to complete, prompting another to predict that, "By the end of the week it should be well distributed."

DMaul made two smaller files available as direct downloads. One of them examined by Wired News contains more than 32,000 images ranging from the mundane to the intimate: vacation photos, infants in bathtubs, teenagers mugging for the camera.

Child-safety advocate Parry Aftab, executive director at WiredSafety.org (not affiliated with Wired News) said last week that MySpace and other social networking sites should have teams that do nothing but test for bugs and monitor web forums for discussions about privacy glitches.

Last week, MySpace chief security officer Hemanshu Nigam touted a deal with the attorneys general of 49 states in which MySpace agreed to a laundry list of safety improvements on the site. However, the settlement does not require MySpace to detect or promptly close its recurring security holes.

MySpace hasn't returned phone calls on the issue. A spokeswoman for Connecticut Attorney General Richard Blumenthal, co-chairman of the task force that forged the pact with MySpace, declined to comment on the bug this week. Noelle Talley, a spokeswoman for North Carolina Attorney General Roy Cooper, the other co-chair, noted MySpace's quick response in closing the bug after Wired News reported on it.

"We raised this particular issue with MySpace and they told us that the problem was fixed by the next day," Talley wrote in an e-mail. "We'll follow up with them on this issue."

"The process set up by our agreement gives us ready access to bring problems to the attention of MySpace," Talley added. "We believe this collaborative effort will move us more quickly toward safer social networking sites, but attorneys general won't hesitate to take further action if necessary."

MySpace plugged a similar security hole in August 2006 when it made the front page of Digg, four months after it surfaced.