Press Embargo until April 17, 2007
Rankings: Noobs: ***** LOLs: ** 0wnz: ** 1/2
In MOMBY-111 we discussed the cleartext authentication via the web interface. So, perhaps it's unsurprising to find cleartext passwords being revealed in the e-mail generated when clicking the "Forgot your password?" link on http://www.myspace.com.
Due to this implementation bug, parties in a position to intercept e-mail are also in a position to recover Myspace passwords.
One may argue that people who operate e-mail in a cleartext manner have more to worry about. But recall that anyone may trigger this cleartext password reveal; thus, an attacker who may watch cleartext e-mail exchanges (again, most commonly an eavesdropper who is listening on a public wireless segment) may induce a password revelation at will. He need not wait for his victim to login to Myspace, but may instead wait for the victim to download e-mail over a cleartext channel (such as Yahoo! webmail), which in this setting, may be considerably more often.
Also note, Fox Interactive does not inform Myspace users when their passwords have been revealed in this way. Thus, an attacker who has complete control over a mail account (such as an untrustworthy mail administrator or a government investigator), may induce the password reveal, intercept the message, then delete the message, without the victim's knowledge.
Credit: Dammit, now you know my awesum password!!!