Heavy Handed Approach by MySpace

Last week saw a particularly heavy handed approach to dealing with the disclosure of over 56,000 MySpace user account details. 

The story starts around the 15th January, various posts had been made to the security mailing list Full Disclosure about a list of username and password details for MySpace users being visible on a website that was being used as part of a MySpace phishing scam. The original posts had links to the phishing scam and to a text file containing the stolen password information.

Then someone posts the text file to the list, at which point it is picked up by various sites that mirror the Full Disclosure list, ourselves included here at Virus.Org. Luckily some of the mirrors (including the Virus.Org mirror) hide the email addresses within posts to the mailing lists they are archiving thus rendering the compromised information useless.

Then skip forward a few days, MySpace found one of these mirrors probably via a google search and decided to take action. No they didn’t do the sensible thing of informing the users that had their details compromised, they decided to try and take down the information. Their target for this was security researcher Fyodor, author and maintainer of nmap. Fyodor operates the mailing list archive at seclists.org, alas his archive faithfully saved the MySpace user details and then it got indexed by Google, this made him a target.

What did MySpace do, well it seems that instead of contacting Fyodor directly they decided to go directly to the company that provided the domain registration for the seclists.org domain GoDaddy. In the process GoDaddy suspended the registration for the seclists.org domain and pointed the DNS to GoDaddy’s suspended accounts DNS servers.

The reason given by GoDaddy was that Fyodor had violated GoDaddy’s abuse policy. It seems that GoDaddy didn’t seem to investigate nor allow Fyodor to contest or even remove the content before altering the DNS to take the seclists.org site offline. In response to the backlash caused by taking seclist.org offline GoDaddy claimed they had given Fyodor one hour to respond, however in a response to this posted by Fyodor this claim seems to be false as the timeline provided from the voicemail and emails sent by GoDaddy indicate that it was closer to a minute.

What should MySpace have done? Well firstly they should have contacted the maintainer of the site with the content they wanted removed. In this case Fyodor, he is a well known and respected security researcher, it is not as if you cannot contact him. They should have only contacted GoDaddy as a last resort if they had been unable to contact Fyodor.

They should have then rendered the compromised information useless, it would be simple enough, grab the information and use it to go through the MySpace user accounts and lockout all compromised accounts. Once each account is locked inform the each user that their login information had been compromised, that their account has been locked and they should contact MySpace to have the account unlocked.

Given the tendency for people to use passwords across multiple systems the process of informing users would alert these users that there is a good chance that any other accounts they have that shared this information may have been compromised too.

This however is not the first time MySpace user accounts have been compromised in this way, and it will not be the last. One previous instance resulted in over 34,000 user accounts being compromised, at that time Bruce Schneier published some analysis of the compromised account information. The nature of the MySpace environment makes it a prime target for attack and their ongoing problems with security are well documented, not only do MySpace users get subjected to phishing attacks but there are almost constant problems with Cross Site Scripting attacks and even the odd MySpace aware worm.