Chapin Information Services




© 2003-2008 by Chapin Information Services, Inc.

MySpace, Another Hole In The MP3 Bucket


10/17/06 — Chapin Information Services (CIS) has again identified a music website with unresolved security problems.

MySpace now joins ClearChannel and Yahoo on a growing list of companies that operate vulnerable Internet servers.

All three of these services host music files that can be downloaded anonymously on the public Internet.

Yahoo Music, with a problem spotted 16 months ago, has an extensive archive of 128 kbps Windows Media files online. ClearChannelMusic was more recently identified as making available new and unreleased albums in 160 kbps MP3 files.

MySpace is a unique service because it allows users to upload their own music files. The servers have only 96 kbps MP3s, but are more likely to include unsigned bands and obscure selections.

MySpace does not charge a subscription fee for uploading or downloading music files.

About six weeks ago, a Wisconsin resident named Andrew Heinlein wanted to save an MP3 from the MySpace website. It was easy to do at the time, and he wrote a program called MySpace MP3 Gopher to demonstrate how it was done.

Since then, MySpace has been upgrading its music website, about once each week, in efforts to neutralize Andrew's program. Alas, they haven't done anything that would materially prevent a user from saving the MP3 data transmitted by their website. Andrew has ably released a new program each time MySpace changed their website.

His latest revision, v3.0.1, involves the Real Time Messaging Protocol (RTMP). MySpace Music now uses RTMP to deliver raw MP3 data. CIS has confirmed the program does not use passwords, encryption, or Digital Rights Management (DRM).

About his motivation, Andrew says, "I really have no use for the program at all. I still buy CDs from the artists I love, just as I did before there was an Internet, as should anyone if they really support the artist."

"It's about … the MySpace people. Years ago I got an account. They totally killed my login after the last release. I never walk away from anyone who cancels my account with no warning.  Now it's a game."

It is a game on public servers, though, where music and blogs hang in the balance.

We asked, what does he get out of it? "I haven't received a cent. Reverse engineering has always been a love of mine. Most of the important work deals with HTTP security. I find little web exploits all the time, just browsing around."

Surely he has some interest in the new Aerosmith album, freely available from ClearChannel? On that, Andrew is, "Not a huge Aerosmith fan."

Andrew doesn't survive on the love of reverse engineering, of course. He received several employment offers relating to the MP3 Gopher release, and is pursuing those opportunities now.

On MySpace, Andrew is trying to rebuild.

MySpace has responded by deleting Andrew's new blog and profile pages when he tried to recreate them. There has been no other official response from MySpace, ClearChannel, or Yahoo.