Security researcher Lee-Anne Galloway has discovered an easy way to access any MySpace. As it turned out, for kidnapping someone else's account it is enough to know only the name to which it is registered, the user's name and his date of birth. The researcher notified MySpace about the problem in April of this year. As the administration of the social network did not respond to the message, Galloway decided to make the vulnerability public.

The problem is that the MySpace password recovery form requires too little data to verify the identity of the account holder. To change the password, you just need to specify the name and surname of the person you need, the user's name and date of birth.

The first two points are already visible to everyone, and the attacker can only find out the date of birth of the victim. Other fields in the form are recommended for filling, but in practice the reliability of the information is not checked.

On Monday, July 17, the MySpace administration redirected the URL for password recovery, and now it no longer leads to a vulnerable form. The decision of the social network administration to close access to the vulnerable form indicates that it knows about the problem.