Thursday, December 14, 2006

MySpace Security Flaw

Hello all,

A few months ago, I was logging into my MySpace account. I typed in my username and password and clicked 'Login' when I realized I had typed in the wrong password. Yet to my surprise, I was in my account. Maybe I hadn't typed in the wrong password. I just figured that since I use a similar combination for a couple of my accounts elsewhere, I was just confused and didn't think anything of it.

This kept happening over the next few weeks until I finally decided to try and figure out what was going on. To make a long story short, I've come to the conclusion that if your password ends in a number, it is possible to still login with the incorrect password.

For example:
  • If your password is "jimmyjohnson" you can only login with that password.
  • If your password is "jimmyjohnson123" it is possible to login with anything after "jimmyjohnson123" such as "jimmyjohnson123asdjfasldkfj".
I had someone one night try this whose original password did not end in a number. It did not work. Then I had them change their password to something that did end in a number; it worked like a charm.

The weird thing is is that it does not work for everyone, however I have had other people try it and they have succeeded at logging in with an incorrect password. I don't know why it works for some and not for others, the only thing I know is that it is possible.

Try it for yourself and find out. If your password does not end in a number, change it to something that does and try it out. Make sure you change your password back to something original. Please post your comments and let me know how many of you this works for. But please, be smart about it and don't post your login credentials on here or anywhere else.

As a side note, to those of you unfamiliar with the strength of passwords, the more characters you use and the wider variety of characters you use, the better off you are at someone not being able to guess your password.
  • Examples
    • Weak passwords: johnson, apple, password, crack, rainbow, flower
    • Medium passwords: johnSon45, na5scar5, jack45daniels
    • Strong passwords: 45BiTeM!e, Six16teen!!, Welcome!
Here is a link to a password checker, http://www.microsoft.com/athome/security/privacy/password_checker.mspx. I know it's from Microsoft, so don't bash me. But it will let you know how secure your password really is.

If it works for you, I would recommend changing your password to something that does not end in a number as I have had no success logging with an incorrect password that does not originally end in a number.

Disclaimer: I am by no means a security expert nor am I claiming to be. Yet I do believe that this should be made known because to me and I am sure many others, something like this should not happen.
Posted by at
Labels: , , , ,

1 comment:

kuza55 said...

I had a look and I think you missed the mark on this one.

From what I can tell any password which has 10 characters in it can have characters appended to it. So
123testing can also be typed as 123testingtesting and be considered correct.

So while its definately an oddity that needs to be fixed, as far as I can tell there's no real way to exploit this because all passwords must fall be 10 characters or less, and so trying longer passwords is pointless.

All it tells us is that myspace doens't store hashes, but we already knew this from the forgot password link.

12/15/2006 4:29 AM

Post a Comment

Subscribe to: Post Comments (Atom)