MySpace was working to fix a security hole on Monday that allows people to see private comments friends have written on members' pages.
"MySpace is committed to keeping all users as safe and secure as possible. Today, MySpace was alerted to an issue within the MySpace Mobile WAP site and is working to roll out an immediate fix," a MySpace spokesperson wrote in an email.
With the MySpace hole, people have to go through the company's mobile page and know the user ID of a member to read their private comments, said Canadian computer technician Byron Ng, who alerted ZDNet.co.uk's sister site, CNET News.com, to the issue, and said he had previously contacted MySpace as well.
Getting someone's user ID is easy: just hover over the name and the user ID is the first group of numbers buried in the coding at the bottom of the page.
In addition, security vulnerabilities publicised by Ng in June, that allow MySpace users to delete bulletins from groups they don't control; to pin and unpin topics in groups they aren't members of; and to post messages to a group they are banned from, remained unfixed. Those issues are expected to be fixed within the week, MySpace said.
Meanwhile, Facebook was investigating possible security issues of its own, including a third-party app that lets people see comments written on member pages, even if they aren't their 'friends'.
"We're still checking on Advanced Wall but we've confirmed that there is not a hole in Free Gifts," a Facebook spokesman wrote in an email. "It's only public gifts that can be seen in the manner you propose below, which is how they are meant to be seen... Private gifts are not shown on this page."
Beyond these security issues, people can use a method called 'social engineering' to get access to a stranger's profile by being accepted as a friend in their network, Ng said.
Read this
Q&A: Facebook and the price of user privacy
Aaron Greenspan warns that Facebook is sacrificing user privacy on the altar of hyper growth
For instance, someone could create a profile that looks like a party promoter whom members will befriend to hear about events. Or someone could create a profile with the same name as someone who is already in a target's friend list with the hopes that the target will be confused and accept the imposter, Ng said.
"If the average citizen is worried about people spying, never add anyone, even a 'friend', without telephone or email confirmation that it is legitimate," Ng writes in an email.
For people who want to keep an eye on who is viewing their MySpace pages, there are two sites that offer tracking services: ProfileSnitch.com and WhoVisited.com.
Those sites allow MySpace members to embed HTML code in their profile pages that reports back to the tracking sites so members can see who was viewing their pages. This only works with MySpace and not Facebook, however, because MySpace allows members to use HTML in their profiles and Facebook does not, Ng said.
