Yahoo Widget Unlocks Private Paris Hilton, Lindsay Lohan MySpace Photos

The photos surfaced after a security researcher discovered that a MySpace widget in Yahoo's Widget Galley could be used to bypass MySpace privacy controls.

Thomas Claburn, Editor at Large, Enterprise Mobility

June 4, 2008

2 Min Read

Silicon Valley gossip site Valleywag has published private photos belonging to Paris Hilton and Lindsay Lohan to illustrate the privacy risks posed by data sharing among social Web sites.

Valleywag obtained the photos from Hilton's and Lohan's private MySpace profiles with the help of Canadian security researcher Byron Ng, who found that a MySpace widget in Yahoo's Widget Galley could be used to bypass MySpace privacy controls.

Valleywag managing editor Owen Thomas sees the security flaw as a sign that data portability -- the fashionable movement to make social data available across Web site boundaries -- is fundamentally flawed.

"Data portability was borne out of a wrongheaded assumption: That data needs to be shared," Thomas wrote.

Thomas' observation that data sharing reduces security to the standards of the weakest partner in the network chain is correct. But it's undermined by Valleywag's eagerness to share pictures of Hilton and Lohan. Data, it seems, does need to be shared, whether chumming the Internet for page views or trying to build an Internet business outside of publishing. Rather than swearing off data sharing, perhaps it's time to look at why there are so few consequences for poor security.

MySpace and Yahoo issued a joint statement that sounds like just about every other security-related statement the companies have released individually in the past.

"MySpace and Yahoo are firmly committed to keeping all users as safe and secure as possible," a MySpace spokesperson said in an e-mail. "Recently, MySpace and Yahoo were alerted to a vulnerability with the MySpace widget on the Yahoo mobile platform. The functionality of the widget has currently been disabled as we work to roll out an immediate fix."

To borrow and bend a slogan from Pixar's Monsters, Inc., "We repair because we care."

The trouble is that while security holes may be repaired, privacy, once lost, can't be recovered.

Update: According to MySpace, the security problem was the result of Yahoo's use of a "deprecated mobile API" (being phased out) and does not have anything to do with MySpace's data portability initiative.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights