MySpace
Thursday 1st November, 2007 09:42 Comments: 0
The McAfee Avert Labs Blog mentioned MySpace yesterday, and provided a decent overview of why SSL is a good thing if you'd like any sort of privacy or protection. According to MySpace:
MySpace.com member accounts are secured by member-created passwords. MySpace.com takes precautions to insure that member account information is kept private. We use reasonable measures to protect member information that is stored within our database, and we restrict access to member information to those employees who need access to perform their job functions, such as our customer service personnel and technical staff. Please note that we cannot guarantee the security of member account information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of member information at any time.
Is it reasonable that usernames and passwords (data that's stored in their database) are sent over an unencrypted connection?
The scary thing is a lot of users will be using the same usernames and passwords on other sites that do use SSL. As mentioned on McAfee's blog:
Don't get me wrong, a malicious user doesn't care about your myspace.com page. I'm sure it "teh sucks" and your profile is "teh fail" (to quote a buddy at Foundstone, Brad Antoniewicz). They're after your credentials & betting big on password reuse. Stop for a moment and think about your own work, Ebay, email, bank, etc accounts. Are you reusing your credentials anywhere?
MySpace.com member accounts are secured by member-created passwords. MySpace.com takes precautions to insure that member account information is kept private. We use reasonable measures to protect member information that is stored within our database, and we restrict access to member information to those employees who need access to perform their job functions, such as our customer service personnel and technical staff. Please note that we cannot guarantee the security of member account information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of member information at any time.
Is it reasonable that usernames and passwords (data that's stored in their database) are sent over an unencrypted connection?
> nmap -P0 -p 80,443 www.myspace.com Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2007-11-01 09:32 GMT Standard Time Warning: Hostname www.myspace.com resolves to 6 IPs. Using 216.178.38.129. Interesting ports on 216.178.38.129: PORT STATE SERVICE 80/tcp open http 443/tcp filtered httpsIt's not even a case of trying to find the link to login and browse the site over SSL, as they don't even have port 443 open, so you're forced to send everything over an unencrypted connection as there's no other option. That doesn't sound very reasonable to me!
The scary thing is a lot of users will be using the same usernames and passwords on other sites that do use SSL. As mentioned on McAfee's blog:
Don't get me wrong, a malicious user doesn't care about your myspace.com page. I'm sure it "teh sucks" and your profile is "teh fail" (to quote a buddy at Foundstone, Brad Antoniewicz). They're after your credentials & betting big on password reuse. Stop for a moment and think about your own work, Ebay, email, bank, etc accounts. Are you reusing your credentials anywhere?