CNET también está disponible en español.

Ir a español

Don't show this again


MySpace, Yahoo blame bad APIs for celebrity photos breach

Private photos of Paris Hilton and Lindsay Lohan found through bad APIs, rekindling debate on whether there is such a thing as privacy on social networks.

Paris Hilton and Lindsay Lohan's private MySpace photos are all over the Internet now, thanks to a glitch in the bad APIs.

While the not-so-publicity-shy stars probably won't mind, and none of the photos are all that racy (except for the one of a fully dressed, provocatively posed Hilton in a tanning booth), there's a lesson for us all in this social network privacy flap du jour.

"Anything you upload to a public Web site is not private; it's public. Even if you think it is password protected," says Jeremiah Grossman, chief technology officer at White Hat Security, a Web application security company. "That's the bottom line."

The photos began making the rounds on Tuesday after computer technician Byron Ngo released them publicly, and gave Valleywag detailed instructions for his hack. Valleywag also has the photos here.

The problem has been fixed so don't bother trying to replicate it. But the breach resurrects the debate over whether the notion of privacy is outdated in a world where you party too much at an event and the next morning an embarrassing photo is up on your friend's Facebook page.

Valleywag blamed data portability, the concept underlying the sharing of data between social networks and other sites.

However, according to MySpace, it had nothing to do with data portability and everything to do with "deprecated APIs."

Grossman attributed it to "insufficient authorization," which he said are common on all types of Web sites, not just social-networking sites.

"MySpace and Yahoo are firmly committed to keeping all users as safe and secure as possible. Recently, MySpace and Yahoo were alerted to a vulnerability within the MySpace widget on the Yahoo mobile platform," MySpace and Yahoo said in a statement. "The functionality of the widget has currently been disabled as we work to roll out an immediate fix."

The man behind the expose' is none other than Byron Ng, a Vancouver-based computer technician who found a hole in Facebook and got to photos on founder Mark Zuckerberg's private page in March.

Ng also is credited with uncovering a digital version of most of the unreleased Harry Potter book last summer.

Ng, if you're out there, I'd love to talk to you.