Though the site is said to have fixed the problem it was said by
news reports to have been active for months. Nobody at MySpace was
immediately available for comment.
The explosion of social networking sites has caused significant
worry for parents and politicians over how to protect children from
sexual advances over the websites. The amount of information that
young people reveal about themselves coupled with the opportunities
for deception by sexual predators has led to concerns that the
sites can be dangerous.
The leading social networking site, MySpace, introduced private
profiles as a security measure. Earlier this summer, MySpace owner
News Corporation introduced new rules to protect teenagers.
The profile of anyone under 16 was changed so that it was
automatically set to 'private', a status that users could
previously choose but which was not compulsory. Users over 18
attempting to contact users under 16 now have to type in the
child's actual first and last name or email address in order to
initiate contact, a move designed to protect children from
unsolicited advances.
A piece of code has now been revealed which users claim can
allow access to private profiles. Information about the hack became
widely publicised through news site Digg.com last weekend, and
reports this week claim that the problem has been fixed.
There are much earlier reports of the existence of the hack,
though, which suggest that profiles have been being hacked for
months. A post by a user called AtariBoy on the site Geeklimit.com
in April detailed a hack which claimed to access users' private
profile details.
"Many myspacers use CSS [cascading style sheets] to hide their
comments, friends list and blog links," wrote AtariBoy. "These
elements are not deleted tho [sic] and are still available publicly
to anyone. You can view them by one of two methods below."
The site was said this week to have fixed the problem, though
some users of the hack reported subsequently that it still worked
and private profiles were still accessible.
"In the UK, the vulnerabilities alleged could amount to a breach
of the Data Protection Act," said Struan Robertson, editor of
OUT-LAW.COM and a technology lawyer with Pinsent Masons.
The Data Protection Act says that 'appropriate technical and
organisational measures' must be taken to prevent unauthorised
access to personal data held by organisations.
"For any site, the technical measures that are appropriate will
vary depending on the type of data held and the harm that might
result from a security breach," said Robertson. "There is best
practice guidance in the UK for sites used by children and, if the
allegations are true, it may be that MySpace fell short of the
standard expected."
The Home Office taskforce's 'Good practice guidance for the
moderation of interactive services for children' refers to the Data
Protection Act provisions and notes: "If data systems are
vulnerable to hacking, or operated by people outside the control of
the service operator, there is the potential that the security of
users' personal data could be at risk."
If the Act's security principle were found to have been
breached, a person who suffered as a result could be entitled to
sue in the UK for compensation for distress.
