Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace photos

Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace photos

Summary: The recently introduced data availability initiative at MySpace allowing everyone to share their profile data with other community and social...


The recently introduced data availability initiative at MySpace allowing everyone to share their profile data with otherParis Hilton and Lindsay LohanÂ’s private MySpace photos community and social networking sites across the Web, has just suffered its first major privacy flaw exposing the private photos of Paris Hilton and Lindsay Lohan, prompting Yahoo and MySpace to disable the data availability between the services until they fix the flaw:

Pictures of Paris Hilton and Lindsay Lohan from private MySpace profiles can be seen by anyone on the Internet, thanks to a flaw in a system that helps the social-networking site share information with other Web sites. The incident underscores a new challenge for businesses: Security becomes a multi-front challenge once you start sharing information outside your walls.

Byron Ng — a computer technician who earlier this year found a way to access Paris Hilton’s Facebook page — walked the tech-gossip blog Valleywag through a 15-step process that allows people to see supposedly-private pictures and other information by first logging into Yahoo, which is one of the sites that shares information with MySpace.

With Paris Hilton's  T-Mobile Sidekick account hacked two years ago (Hilton's mailbox; Hilton's contact list; Hilton's photos), followed by her private Facebook private photos exposed last month, it's becoming a rather common event to demonstrate a major privacy exposing leak or a security flaw by testing it on celebrities with the idea to attract as much attention as possible. All of these hacks wouldn't be possible if their "privacy through obscurity" MySpace profiles weren't a public secret. For instance Paris Hilton's private profile ( and Lindsay Lohan's profile ( have already been tracked down by fans, therefore positioning them on the top of the target list for testing of flaws.

From another perspective, celebrity hacking is a win-win-win situation for both the celebrities enjoying some publicity, the vulnerable services that would provide a live fix for the millions of their users, and the celebrity hacker for, well, being the celebrity hacker. It's also a great way to demonstrate how one service is undermining the already set privacy preferences by another service, as in this case you have an integration flaw at Yahoo undermining the privacy preferences set on a MySpace profile.

Topics: Social Enterprise, Legal

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Who cares?

    A lot of people obviously. The question is why?
    • Because People are Sheep

      And ZDnet has become a tech site that simply bases articles off of hit counts.
      • yes

        yea people are sheep and most people who love Paris should see this video
  • I think ZDnet is paying too much attention to Celebs.

    Personally I could care less about the latest celebrity who has their personal information hacked. That only draws attention to the person and forces the individual to lock down their account information quicker. Then they have to deal with the additional harassment until all of their personal information is changed to prevent further exploit.

    I honestly question whether this is a Tech News site or if this is the gossip column on TMZ.

    Thanks for bringing us this crap Dancho
    • Probably

      But there are times when celebrity stories help to illustrate a tech problem. What happened to the two women in question could have happened to just about anyone.
      John L. Ries
    • Just remember...

      CBS bought these guys out...
      • RE: Just remember

        No doubt some media w h o r e in management wanted to "sex" up the site.
    • It's great to report it if it can help fixing it for everyone

      It's great to report it if it can help fixing it for everyone.
      Too many companies make almost nothing to protect users privacy, or when an incident is detected or reported, they hide the fact, and don't take the necessary measures to limit their impact.
      If celebs can share their private date on the web for their own friends or family, they need at least the same level of trust in the service than what we, the billions unknowns, need too.
      If celebs are abused on these networks, we are also affected, but there will be almost nobody to care about it.

      At least this reveals that everyone needs privacy, and organizations that make mutual agreements to exchange their data without clearly noticing this to their users, or even allowing them to control this dissemination, are effectively taking too much risk with our private data, even if they took some technical protocol to allow this. Those technical protocols are flawed, and we all know what this means when we can see that any email created somewhere in the world becomes the target of thousands of spams and other security attacks from around the world in a matter of a few weeks (and then this becomes unstoppable).
      Companies sharing data about their users should be forbidden to do that in a way that is not manageable by users from the single source of personal data injection.
      In fact there should exist NO share of data with third parties at all, and even if this is granted, such grant should never be transitive (i.e. not retransferable and manageable from the initial service directly).

      Almost all databases with user data in the world are simply illegal in their existence and should be deleted if they have integrated data coming from other sources than the users themselves and directly.

      Personal data should be kept by online services just like if they were medical personels: the secret should remain absolute, not identifiable personnally at all. Personall data should be protected also with at least the same level as copyright under WIPO rule: users are giving only a strictly personal and non transferable licence to the service on whhich they give their details, only for the purpose of interacting with the service itself; too much data is collected that is absolutly not needed for the effective execution of the service.

      When will laws will forbid all resales of databases with personal data, and criminalize those doing it, or set huge fines to pay to each abused person for organizations? This would really force organizations to take extreme security measures, and stop counting on their own technical resources: this data collection MUST be tested by certified security agencies, possibly official ones.

      Without such certification (that needs to be reviewed regularly and each time the control of an organization passes to another one, so that its extension effects will be strictly limited to cover only the equivalent initial service, and nothing more), such databases should be really illegal and promptly deleted permanently (or transfered to an official escrow with better protection, just to make sure that it will not forbid the continuation of the service for those that have a legitimate right to interact with it).
  • Those usernames...

    Are you seriously saying that Lindsey Lohan's myspace username is privacycunt? Seems a little inapproriate for her...
    • RE: Those usernames...

      You will get no argument here.

      What I do find strange is that your post with the "c' word was NOT censored, but in a post above, where I referred to a "media w----"; was initially censored. Editing the post ro insert a space between each letter overcame that obstacle.
  • The moral of the story is...

    ...anything sitting on a publicly accessible website isn't really private. Private photos are best kept on your own equipment.
    John L. Ries
  • That's soooo nawt hawt!

    Unfortunately, one of the many pitfalls of collaboration is lapsed security.

    If you imagine four opposing axes that are related to software security: Security vs. Features vs. Convenience vs. Time.
    You can't have more than one without taking away from the others. In this case, MySpace added Features+Convenience in favor of Security+Time.
  • RE: Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace photos

    If you do not want to share anything on the internet, don't put it there. We all know of hackers and all. Living in cyberspace and using its free services has its drawbacks. Or 'withdrawBucks' may i say!

  • Haven't we seen enough...

    ...of these two losers?
    • re: Haven't we seen enough...

      [i]...of these two losers? [/i]

      I'd only heard of one of them before this, so I'd say no. But the one I'd heard of, Paris Hilton, I've only seen gossip stories about her. I've seen lot's of gossip stories about, say, Madonna or Michael Jackson, but at least I know how they got to be celebrities. Hard work. Paris Hilton - I have no idea. Maybe I'm getting old.

      none none
    • RE: Haven;t we seen enough....

      You will get no argument from me!!!

      In fact, we can add Britney Spears to this list!
  • RE: Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace photos

    i think we need to focus on what is important right now in the world like world hunger and the war...who really cares about stupid pictures of to girls that are at clubs and stuff but i guess this is what people like witch is really sad
    Peace and love people!
  • RE: Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace p

    So why didn't you attach some of the better photos?
    OK. So I am shallow. I liked the video of Paris. It was low quality porn but I liked the idea of it. This is an artifact of our culture. Maybe they leaked the photos as a publicity stunt and called it a privacy flaw. Who cares is right. Lets see the photos.
  • RE: Privacy flaw exposes Paris Hilton and Lindsay Lohan's private MySpace p

    Paris has more than just privacy flaws to deal with. Take a look at her in this screen test provided by