12:11 PM

MySpace Sharing User Info With Advertisers

Days after Facebook disclosure, the second largest social media site is found committing the same privacy breach.

Days after its younger, larger competitor Facebook came under attack for sharing unwitting users' data with ad agencies and Internet tracking companies, it has been discovered that MySpace also has been disclosing similar information with third parties.

The information was usually sent by MySpace when users clicked on advertisements, according to the Wall Street Journal, which first discovered the ad tracking. Like the Facebook disclosures, advertisers potentially can tap the user IDs to find public information such as full names, locations, ages, and phone numbers. MySpace advertisers -- such as Google, Quantcast, and Rubicon Project -- reportedly said they did not use the information they received.

"Knowledge of a public user ID does not give anyone access to private user data. We share non-personally identifiable information with advertising companies as part of our ad serving process," a MySpace spokesman told CNN. "It has recently come to our attention that several third-party app developers may have violated these terms and we are taking appropriate action against those developers."

Unlike Facebook, which under its terms and conditions can close accounts found to use fake names, MySpace users can create accounts under pseudonyms, and can include false information without penalty. Since a MySpace user's profile name appears in the URL of the page the person is viewing, whenever the accountholder clicks on an ad, app, or game, an advertiser easily can see which page -- account and user ID -- the individual came from.

Some MySpace apps transmitted user IDs. For example, BitRhymes' TagMe, with 8.3 million users; WonderHill's 1.8 million-user GreenSpot; and RockYou's RockYou Pets with 6.1 million users, transmitted IDs, according to the Journal. News Corp. owns MySpace and the Journal.

"[BitRhymes] has a strict policy of not passing personally identifiable information to any third parties. When we were informed of the issue, any suspect relationship was immediately dissolved," the company said in a published statement.

A company that works with RockYou was transmitting user information to a third company without RockYou's knowledge, a company spokeswoman said in a published report. "We have taken immediate action to indefinitely suspend their services in connection with RockYou and we are reviewing all third-party providers to ensure compliance with our platform partners' terms of service," she told the Journal.

Facebook had 148 million visitors in September, according to ComScore, compared with the 58 million who visited MySpace.

Facebook had blocked one game developer -- Lolapps -- but then restored access later that weekend. Two congressmen have urged Facebook to explain how apps could share Facebook members' user ID numbers, and how the company planned to prevent this from reoccurring in the future.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.