I was curious what it would take to make a MySpace profile importer today.  So I did some HTTP spelunking, and found a bizarre mix of cookies, headers, redirects, and dynamic javascript protecting the family jewels.  In order to programmatically log into my MySpace account, I have to get the page, add some cookies, submit my username and password to another page via a POST and a unique session ID that's apparently assigned on each visit to the login screen.  The javascript that's loaded writes out a dynamic script tag, which writes out yet another dynamic script tag which a javascript file located at some domain called ads.revsci.net.  That file sends back a bunch of cookies, which are then submitted to the login page, apparently all to verify that you're using a browser that can execute Javascript.  I could easily crack it given a day or two, but right now it's more trouble than it's worth and I don't know if they change it up regularly to avoid information farming.  But I thought it was funny that they jumped thru all of those hoops and send their user's passwords in plain text when they could have easily just used digest authentication.  Apparently they're going to all kinds of lengths to hold their user's data hostage and ensure that they remain a data silo forever.

There were a few people who came up with a script (libmyspace) to extract information from MySpace accounts a while back, but it looks like MySpace has locked it down as a result.  But if anyone's wondering--yes, MySpace doesn't have a clue about proper security practices or encryption, and yes it looks like the data can be extracted, it's just a tedious process to figure out the correct sequence of events.