67 comments

[ 8.0 ms ] story [ 33.8 ms ] thread
Does MySpace still exists?
Don't expect there to be anything there from back when you actually used it. They deleted all of your wall and private messages years ago.
Why would they do that? To alienate the few people who are still using the website for some reason?
I have mine in a zip file somewhere... They had an option to download it for a while.
Yea I think I have mine somewhere as well. I really hate they removed all that historical data though. They could have probably banked on a trickle of logins simply from people looking for the nostalgia.
I actually recently requested and received and export of my blog posts. So there is that at least...
The default friend account and one of the founders (Tom) is on Instagram these days travelling the world and sharing info on taking photos. Seems like a really friendly and genuine guy, and his travels and photos are very good:

https://www.instagram.com/myspacetom/

Why isn’t he on MySpace?
Because he cashed out and it's now more or less dead. Maybe he changed as a person, and customising the look of his social profile matters less to him at this age than the content that he posts?
I remember a time where you could embed js and css in the forums. I never want farther than seeing if I could steal my own login cookie (being new to js I was sure I just had to have overlooked something) and change posts of a user without that user seeing that change haha (test user also being myself, in some god forsaken part of the forum nobody used), then backed off that stuff for fear of being banned and made little "utilities" like expanding text boxes, and pretty stylesheets of course. There was just nooooobody paying attention, I can absolutely vouch for that.
I found a bug like that in Yahoo Personals back in the day. Used it to impress a girl by making extra stuff pop up in her timeline or whatever. Nowadays it would be worth a fat bounty though.
I remember being able to get higher rates as a web developer/designer in high school by being able to make special myspace pages that covered up the UI for businesses.
Some of my first gigs/job were setting up new myspace layouts for indie bands. Company I worked for had a custom player built and everything. I remember finding some awesome hacks to make stuff work when myspace rolled out their own player and tried to force it on everyone.
It took me just few minutes to get started as a paid member on this site [Check Details Here⇒>https://is.gd/qKRnJt ] and I work few hours a week but make enough money to last me for a whole month. Talk about less effort and more profit. Paid surveys at home is the best site to join for online surveys. What a great site!
wow. I haven't gone to it yet - what could it be? what would be the most interesting thing it could have turned into? a cryptocurrency? a UK political party? e-cards? An asteroid mineral rights ponzi scheme? wow.
Myspace was an XSS playground. You could embed javascript into anyone's profile, by leaving a flash applet (or for that matter a java applet) in a comment, and having it do an openurl to a javascript: url, which would execute in the context of the user viewing it.

I had fun replacing people's profile pictures after the page loaded, or stopping all of that annoying background music.

It was also possible to capture someone's document.cookie, as late as 2008.

Good times...

A Norwegian social site back in the days called Nettby ("net-city") also allowed some html, but did it by just removing unallowed tags. I realised I could write <scr<script>ipt>, and after it did the removal of the first script tag I still had one.

This trick still works on surprisingly many sites. Allowing custom html is hard, so think long before rolling your own.

a good content security policy goes a very long way towards allowing workable custom html
Honestly if it's comments, just use Markdown or something. No reason for your users to have access to HTML.
You might not realise it, but the average markdown spec allows embedding html as well.
When you find a site that does this, throw up their login box and the user is looking at a seemingly legit login box genuine hosted by the target site, security certificate and all!
And if you are going to roll your own, whitelist, don't blacklist. And not just tags, but attributes, CSS rules etc., as well as text content (including escaping)

Of course, doing that will quickly tell you why you'd probably want to not roll your own...

I have rolled my own, twice, back in the day (once for the webmail service Nameplanet which started life in Oslo), and it was an ongoing pain of having to argue with people over why X or Y was filtered out because they didn't realise how it could be abused.

I really don't want to ever do that again.

Once in 2008-2009 I accidentally found CSRF on vkontakte.ru (now vk.com, now it's very popular social network). I created post on Livejournal with image that loaded from my server, responding with redirect to CSRF URL that posted random phrase from logged in user to single discussion thread. It looked like hundreds of people doing dadaist discussion.
Myspace was a malware playground. Stuff like Apple QuickTime didn't have a decent updater back then, so it was script-kiddy galore. End of the line for the anything-goes web.
there was a fairly popular service called spyspace that let myspace users track their visitors using similar methods.
As I remember, it was being exploited for styling pages. When I registered there, I wondered how everyone change backgrounds and fonts on their pages (usually with quite insane look), and then found a post how to do it: add <style> tag to one of profile fields.
No less secure than most people's bank accounts.
Who owns MySpace now and why does the author's screenshots have varying typos? The "email found" prompt changes from "...Please remeber [sic] update your email address after you log in" to "Please remember to update your email address after you log in."

Also, the real MySpace.com's account recovery for "I don't have access to my email" is now taking you to a myspace.desk.com ticketing frontend and a screen that looks nothing like the author's post.

Suspicious.

The variations on the screen shots might have been the author using debugging tools to change some info so not as to use or compromise a real account. I have done that myself for some tutorials and posts.

The post was made today, but maybe it got big enough MySpace immediately change it? ¯\_(ツ)_/¯

It’s another Murdoch ‘asset’ I believe.
Rupert Murdoch bought it for $580 million in 2005 and then sold it to Justin Timberlake and Specific Media Group a few years later for $35 million. According to their Wikipedia page Timberlake & Co sold it in 2016 to Time Inc.

http://variety.com/2016/digital/news/time-inc-myspace-viant-...

And it was an assets sale to Time which resulted in all common stock holders (aka employees) getting wiped out. Good times.
The last trade is a shame. I saw the demo of MySpace around 2014 and found it almost exciting. It was at the time when they were trying to make it all about media consumption with transparent handover between devices and TVs / computers. The tech looked quite fun. Looks like they couldn't get enough interest to pull it off :-(

For some reason they were trying to get geeks at local meetups excited about it. I got a can of MySpace-branded energy drink which was one of the weirdest gifts...

(comment deleted)
That's brilliant. :)

Apologies if snarky, but perhaps $15 on this would be well advised: (Humble Bundle deal also on FP today) https://news.ycombinator.com/item?id=14791255

Just bought the bundle; looking forward to learning more about security myself. I would like to think I know the obvious things, but will probably find big gaps if I get through all of it..

I took the habit of feeding fake random information to all websites asking too noisey questions and keeping track of them in case I need them for recovery. A website doesn't need my exact date of birth, at most it may need my approximate age. It doesn't need my real name either, even if it wants to deliver something to me, the address should be all it takes. It doesn't need my real email address, all it needs is some email alias that I can delete. Good practice for privacy, spam management and security since it is harder to guess this information and to reuse it when leaked.
So much this. I've never saw the need to do give information out like that. As far as every website is concerned my DOB is 01/01/1990.
Thanks for the information :)
I always use 1/1/1911 to shave off a few more of those precious microseconds
If so, did you then just compromise yourself?
(comment deleted)
01/23/45, down side is I am getting targeted for a lot of end of life planning ads as of recently! (through snail mail of course)
Careful with mailing physical things via the USPS to different names at your address. You might run afoul of mail fraud laws.
You could use always use plausible nicknames. Humans will tolerate them, but exact-matching computer systems won’t. For example, if you were Nathaniel William such-and-such, you’d have a large supply: Nat, Nath, Natty, Nathan, Niel, Neil, Thaniel, N. W., William, Will, Willy, Bill, Billy, Liam…
I've had a few recent discussions with various people at post-offices, here in Finland.

The counter staff repeatedly complain that parcels are addressed to "Steve" not "Steven" (which is the name on my official ID.)

It's a very weird situation to be in, as somebody from the UK where such things just don't matter.

I don't see how it would even matter. What if you host a friend for a few weeks at your place. Isn't that friend allowed to receive mail?
In many countries there are super-serious laws about mail being delivered to the addressed recipient and not opened or interfered with by anyone else, from the days when it was the only form of official communication and used for matters of life and death.
It's not about matching the address to the legal resident, but matching the recipient name to the name in your official ID when you go to a post office to pick up a parcel. That is, authentication. Letters and small enough parcels are delivered directly to your address; with those the recipient name doesn't really matter except for possibly disambiguating an incomplete/incorrect address at the mail sorting center.
My usps postman won't deliver mail if the name on the letter doesn't match the names on the mail slot.
Have things shipped to "current resident"
(comment deleted)
Are birthdays part of the 360 million user account breach?
I attempted recovering my ancient Myspace account just now claiming I'd lost the email. I was directed to a Zendesk form that looked different from the one shown in the screenshots. So looks like they might have changed the process now?
Myspace still exists?
Also the amount of poor/broken English on that form and the dialogs makes me suspect outsourcing.
Oh no, I hope my Digg and Hotmail accounts are still safe.