News

Actually, Crime Does Pay

How to find fame and fortune by hacking into MySpace.

By Rebecca Meiser 

Seven years ago, Rick Deacon was an apathetic Elyria Catholic freshman with nothing to do. Classes were a bore, and those school-spirit types made him want to hurl. So Deacon, a budding computer geek with enough teenage angst to fill three Bright Eyes albums, found a more entertaining way to occupy his time: hacking into AOL accounts.

Using a fake name, Deacon would sign into chat rooms, then randomly send instant messages to members. "Want to chat?" he'd ask, offering up a fake photo of himself. Pity the person who innocently clicked.

The photo contained a Trojan virus. Once clicked, it wormed its way into recipients' computers, embedding the equivalent of a wiretap in their hard drives. Unsuspecting users were totally exposed.

Deacon could view every site the victims visited, every word they typed, every mouse click. He was like a ghost standing over them, and they had no idea he was watching.

But the 14-year-old soon discovered that voyeurism isn't as interesting as advertised. Tours of other people's favorite sites isn't exactly titillating. "Lots of porn," he says. Then there were the people who performed for their webcams. "Seeing naked people of the same gender . . . I'm not down with that so much."

Besides, as any good burglar knows, breaking in is usually more exciting than the score itself. He was left with the meager thrill of bragging to friends that "I just hacked 150 people last night,'" he says.

So Deacon looked for more challenging pursuits. In 2004, MySpace was just taking off. He soon realized it was "probably hackable."

The site relies on hundreds of web applications, used by members to get backgrounds and slide shows onto their pages. Deacon knew MySpace administrators couldn't vet each application for vulnerabilities. Within four hours, he'd come up with a hack that was thematically similar to the one he'd used on AOL.

Using a fake MySpace profile, he'd send a friendly message to other users, something like "Hey! Look at this!" or "You've really got to see this site!" The links were decoys. Once they clicked, users were redirected to Deacon's server, which would then steal their log-in information. That allowed Deacon to hijack users' accounts, where he could send e-mail, read private messages, even change pictures.

Unfortunately, Deacon was developing a conscience. The fun wasn't in stealing information, but in figuring out the mechanics of a system, dismantling it, and finding its weaknesses. So Deacon wrote an anonymous e-mail to MySpace explaining the site's vulnerabilities.

Three years later, Deacon was a 21-year-old computer-science student at the University of Akron. MySpace, in turn, had landed among the most popular sites on the web. But it still hadn't fixed one glaring problem — the one Deacon had warned it of three years before.

So in January, he wrote to the organizers of Def Con, the nation's largest hacker convention, asking to give a presentation about his MySpace finds.

By August, Deacon was walking into a massive conference room at the Riviera Hotel in Las Vegas, expecting to see 200 people, 300 tops. Instead, about 2,500 pairs of eyes peered up at him. Standing onstage, with his gelled stegosaurus hair, rimless glasses, and outdated laptop, he felt like a second-grader on the first day of school.

But he pulled himself together and delivered an hour-long presentation. The reaction was immediate.

He received a string of text messages from friends asking, "Dude, where's your MySpace page?"

Apparently administrators attending the conference weren't as impressed by Deacon's revelations as the reporters who swarmed him. Five minutes after his presentation, MySpace deleted his account. Administrators curtly informed him that he'd "violated their terms of service."

Yet MySpace was three years late. He quickly became the star of Def Con. Strangers called to buy his hacking secrets. Security firms harassed him for business cards. All over the country, amateur hackers were talking about Deacon's find.

"At age 21, being able to find a way into one of the most popular social networks is a pretty great achievement," explains Ryan Singel, a writer for Wired magazine. "Any 21-year-old hacker would love to have that on their résumé."

Unexpectedly, Deacon found himself at the forefront of internet-security research. With financial sites bulking up their safeguards, sites like MySpace and Facebook have become preferred targets. Profiles contain a repository of personal information for identity theft. Hackers can use hijacked MySpace pages to send pounds of spam. They can also create viruses that plumb for personal information stored on hard drives, like credit-card numbers and passwords.

"Cyber crime has shifted," says Thomas Claburn, an editor at InformationWeek. "All of the major security firms have noticed that the trend has been toward lower-profile attacks — specifically social-networking sites."

After Def Con, MySpace finally fixed the flaw, assuring members that they "have the most responsive, solely dedicated 24/7 safety and security team" available.

Deacon, meanwhile, received a job offer from a big-name security firm in California, testing the vulnerabilities of corporate websites. But he turned it down in order to finish school. "It would suck to be in California and suddenly lose my job, with no degree to fall back on," he explains.

In the last few months, he's hacked into other sites — including tix.com, an online ticket-ordering service. But this time he got a different response. When he informed administrators of the breach, they fixed it.

He's now self-published a book: How I Hacked MySpace: A Guide to Owning MySpace, which sells for $9 on eBay. Yet he still has a bone to pick with the company that made him famous.

Though he's since put up a new profile, it's not as good as his old one. "I don't see why they had to delete it," he whines. "There's still old friends from high school I haven't been able to find since."