Privacy of MP3 fans at risk

Online song swapping now holds a security threat

A new security hole has been discovered in one of the world's most popular file-swapping programs which could allow anyone to gain private information about its millions of users.

Security experts have found a way to gain access to the computer hard drives of users of Morpheus, which has taken over from Napster as the leading internet song-swapping service.

It means that the personal details of up to two million people could be exposed to prying eyes.

"Anytime a weakness like this one shows up in a peer-to-peer client, it can damage the credibility of the entire system," said Jack Spratts, a leading file-sharing expert.

"Damage can range from insignificant for those whose PCs contain little in the way of personal information all the way up to severe.

"It all depends on the contents of the affected users' machine and how much of it they've allowed shared, inadvertently or otherwise," he told BBC News Online.

Using the Morpheus file-sharing program, people can swap music, videos or movies with other users of the software.

Users 'vulnerable'

Member of the security group 2600 said they have been investigating this problem since coming across it on Friday.

They found a different hole to one reported several months ago involving a specific computer port.

Using the Morpheus program, they found a way of getting a random list of people using the service.

They could then obtain details of the files on a user's hard drive and make copies of any file. This includes software installed on a computer or a list of websites that person visited.

"We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

"Potentially this could make every user's computer available to anyone who wants to have a look at it.

"All we know is that there's a major gap that's allowing certain users to become vulnerable."

The group contacted BBC News Online out of concern about the privacy implications of the security hole.

"It's definitely an accident from Morpheus' side. This is very dangerous," said the group.

BBC News Online tried to contact Morpheus but no one was available for comment.

New methods of file-sharing

Napster was shut down by an American court last July for breaching music copyright.

The legal status of Morpheus is in dispute.

Last week, a Dutch court found that a similar file-sharing service, Kazaa, provided software that encouraged copyright infringement.

It ordered Kazaa to stop the worldwide distribution of its popular software.

The Recording Industry Association of America, which spearheaded the fight against Napster, is reportedly looking at ways it can tackle these new methods of file-sharing.