informa
/
Risk
News

Yahoo Widget Unlocks Private Paris Hilton, Lindsay Lohan MySpace Photos

The photos surfaced after a security researcher discovered that a MySpace widget in Yahoo's Widget Galley could be used to bypass MySpace privacy controls.
Silicon Valley gossip site Valleywag has published private photos belonging to Paris Hilton and Lindsay Lohan to illustrate the privacy risks posed by data sharing among social Web sites.

Valleywag obtained the photos from Hilton's and Lohan's private MySpace profiles with the help of Canadian security researcher Byron Ng, who found that a MySpace widget in Yahoo's Widget Galley could be used to bypass MySpace privacy controls.

Valleywag managing editor Owen Thomas sees the security flaw as a sign that data portability -- the fashionable movement to make social data available across Web site boundaries -- is fundamentally flawed.

"Data portability was borne out of a wrongheaded assumption: That data needs to be shared," Thomas wrote.

Thomas' observation that data sharing reduces security to the standards of the weakest partner in the network chain is correct. But it's undermined by Valleywag's eagerness to share pictures of Hilton and Lohan. Data, it seems, does need to be shared, whether chumming the Internet for page views or trying to build an Internet business outside of publishing. Rather than swearing off data sharing, perhaps it's time to look at why there are so few consequences for poor security.

MySpace and Yahoo issued a joint statement that sounds like just about every other security-related statement the companies have released individually in the past.

"MySpace and Yahoo are firmly committed to keeping all users as safe and secure as possible," a MySpace spokesperson said in an e-mail. "Recently, MySpace and Yahoo were alerted to a vulnerability with the MySpace widget on the Yahoo mobile platform. The functionality of the widget has currently been disabled as we work to roll out an immediate fix."

To borrow and bend a slogan from Pixar's Monsters, Inc., "We repair because we care."

The trouble is that while security holes may be repaired, privacy, once lost, can't be recovered.

Update: According to MySpace, the security problem was the result of Yahoo's use of a "deprecated mobile API" (being phased out) and does not have anything to do with MySpace's data portability initiative.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5