Paris Hilton, Lindsay Lohan private pics exposed by Yahoo hack
Want to see Paris Hilton's MySpace profile? How about Lindsay Lohan's? Don't worry about those pesky privacy settings. Thanks to "data portability," a faddish technology movement that the Valley has been buzzing about for months, you can see any profile you want on MySpace. Byron Ng, a Canadian computer technician with a knack for finding Web security holes, has discovered that Yahoo's integration with MySpace makes it easy to view photos for any profile. These images, which Ng obtained from Hilton's and Lohan's profiles, speak to the danger Yahoo and MySpace's lax data-sharing habits pose:
How did Ng get them? Here are his instructions, which involve no real hacking or unauthorized access — just typing in Web addresses. They work because Yahoo allows its users to add their MySpace profiles to their cell phones without checking their credentials; it requires a login, but accepts any login, not the specific user's login.
This points to a flaw in the notion of data portability, a movement which seeks to have personal information shared between social networks and other websites. Data portability was borne out of a wrongheaded assumption: That data needs to be shared. Most consumers, I believe, aren't particularly interested in the concept; they belong to a few social networks at most, and don't find managing their online personas to be a particular challenge. The technophiles of Silicon Valley, however, join every network they hear about, and find retyping their personal information and manually adding friends maddeningly inefficient.
It's all well and good to speed things up, but how far, how fast? The example discovered by Ng just demonstrates the tendency of Web companies to take shortcuts with security. With data portability, we won't just have to worry about how well a particular social network guards their personal data; we'll now have to worry about every partner website it connects with.
Technical experts — every engineer in the Valley considers himself one — will no doubt weigh in with elaborate approaches to assuring security. I'm skeptical that any of them will work. It's a combinatorial problem; not only will the protocols have to be designed to be airtight, but we'll have to trust that each website implements them flawlessly. It only takes one weak link to break the chain. Already, Facebook has cut off Google's connectivity to its profiles in a dispute over whether Google's software is secure enough. Even the fame-seeking likes of Paris Hilton and Lindsay Lohan deserve better.