- Jan. 23rd, 2008
- 1 comments
The average IQ of the internet pedophile is apparently much higher than the aggregate of IQs at MySpace.
I was blissfully unaware of this until now (not being a pedophile and all…), but I could always tell that MySpace was a poorly conceived application. The idea was good, but that is where it ended.
The problem is that MySpace was started (and hence programmed) by a team that never knew how big it would become — and quite possibly in over its head. And of course every programmer or IT manager knows that it's orders of magnitude harder to fix applications while they're being used. Often, it must be refactored and/or rewritten. That's even worse.
That said, it should have been done. There is enough money flowing into the enterprise that some of it should be devoted to fixing all obvious flaws, especially where it pertains to child exploitation.
The frightening part of the most recent bug is that, assuming I understand it, it was trivial to fix. Criticisms about the inanity of letting users have full control over content (and hence allowing for creative XSS attacks and phishing), this wasn't anything complex. Let me explain:
Typically a web site displaying anything — whether it be products, files, or, in this case, provocative photos of 14 year olds, has two levels of navigation.
1. List multiple items in a catalog.
2. View a particular item.
A simplified request to a web server for level "1." looks like this:
http://www.socialsite.com/album/?user=bob (view all photos in album for "bob").
And for 2:
http://www.pictures.com/album/?picture_number=12345 (view photo 12345).
When myspace decided to protect your 14 year old daughter from the "Army of Pedophiles," they initially only prevented level "1." from being viewed. So if a user contrived a method to guess or derive the latter type of URL, nothing stopped that from occuring. And that's just what this "army" figured out how to do.
This incensed me — not because I've ever been this sloppy in implementing an application, but because MySpace was under scrutiny, was aware that they have facilitated pedophilia in the past, and didn't audit their application to verify that this sort of obvious sloppy security hole didn't exist until it was obviously exploited.
I would assert that the fix for this security hole was no more than 2 lines of program code and would take about 1 week to exhaustively test and deploy.
Meanwhile the self-proclaimed "pedo-army" figured it out, masturbated to pictures of your daughter, and will probably continue to see more of her when the pedophiles outfox MySpace again …
"Only One Wise Comment Banged Out Somewhere On The Internet ..."
[...] post by Jaimie Sirovich Similar Posts MySpace is THE Place!!! Facebook Attacked Over Child Safety What Your Child is [...]