Slashdot Log In
UK Mobile Operator O2 Leaks MMS Photos
Posted by
Soulskill
on Sat Jul 19, 2008 02:05 AM
from the like-a-sieve dept.
from the like-a-sieve dept.
Anonymous Hero writes "UK Mobile Operator O2 allows its customers to send Multimedia Messaging Service (MMS) photos to email recipients by way of a web interface. The URLs published by the MMS-to-email application are not authenticated, so a simple Google search reveals hundreds, if not thousands of private photos."
Reader ttul points out similar coverage of this issue at InformationWeek.
Related Stories
Firehose:UK Mobile Operator O2 Leaks MMS Photos by Anonymous Coward
[+]
Mobile: It's Not Just O2 Leaking MMS Messages 105 comments
wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Tomorrow's news (Score:5, Funny)
Under pressure from the NY attorney general, major telecoms have agreed to permanently stop offering MMS service.
Re:Tomorrow's news (Score:4, Informative)
I tried to post this on
It appears that although Contract customers on the mobile network are fully able to access email and SSH via their mobile phone, yet customers subscribed through 'Pay as you Go' (PAYG; a non-subscription service, paid up in front as credit), are only given WAP access, which only provides very basic HTTP access.
Essentially this means that anyone with a pay-in-front service agreement won't be able to access their email or use anything apart from basic HTTP, even though O2 are now selling and advertising the new Apple iPhone on PAYG and stating it will support "all the same features as contract customers".
It's been reported that on contacting O2, they state its a technical problem and one that can't be resolved, yet it's also been mentioned that their own O2 POP3 mail service does work, but access to any other service doesn't.
Are O2 right to restrict access for customers not on a fixed contract? Does your mobile phone company do the same thing? And are O2 advertising unfairly?"
More information here [xcns.co.uk].
Parent
Re:Tomorrow's news (Score:5, Funny)
Reminds me of a joke:
A small town prosecuting attorney called his first witness to the stand in a trial -- a grandmotherly, elderly woman. He approached her and asked, "Mrs. Jones, do you know me?"
She responded, "Why, yes, I do know you Mr. Williams. I've known you since you were a young boy. And frankly, you've been a big disappointment to me. You lie, you cheat on your wife, you manipulate people and talk about them behind their backs. You think you're a rising big shot when you haven't the brains to realize you never will amount to anything more than a two-bit paper pusher. Yes, I know you."
The lawyer was stunned. Not knowing what else to do he pointed across the room and asked, "Mrs. Williams, do you know the defense attorney?"
She again replied, "Why, yes I do. I've known Mr. Bradley since he was a youngster, too. I used to baby-sit him for his parents. And he, too, has been a real disappointment to me. He's lazy, bigoted, he has a drinking problem. The man can't build a normal relationship with anyone and his law practice is one of the shoddiest in the entire state. Yes, I know him."
At this point, the judge rapped the courtroom to silence and called both counselors to the bench. In a very quiet voice, he said with menace, "If either of you asks her if she knows me, you'll be in jail for contempt of court!"
Parent
All your creativity are belong to google.com (Score:5, Insightful)
Back in the good old days you would have used safe ftp.
ftp never hurt anyone.
I do harbour dreams of being a Tor node operator.
Re: (Score:3, Informative)
Even so, eMail doesn't work on Pay as you Go on O2. [xcns.co.uk]
So yeah, it does affect customers. Anyone who sends an MMS to a non-MMS capable phone (presumably if the phone can't do MMS, it probably can't do eMail either), the MMS is posted to O2's website, and that's where the problem starts.
Did you bother to read the article? [xcns.co.uk]
eh? (Score:4, Funny)
hundreds or thousands..... or maybe 40? someone can't count very high before jumping to 1000!
Re:eh? (Score:5, Informative)
I posted the comment in the O2 Forums, and they not only deleted my comments, they disabled my account too! I'm glad people are finally beginning to realise this is a problem and can't just be hidden up.
For my next trick, I'd like everyone to also know that EMAIL DOES NOT WORK ON PAY AS YOU GO on O2! They've blocked port access.
Thanks!
Parent
Re: (Score:3, Informative)
Re: (Score:3, Informative)
I still get 40 results. And google isn't real time, if the pictures were taken down from the servers that wouldn't change the search results right away.
Disappointing (Score:5, Funny)
Arr, not a looker in the bunch!
Re:Disappointing (Score:5, Insightful)
Presents an interesting new way for us Slashdotters to meet girls...
Parent
no problem (Score:3, Funny)
Right now the web is being slashdotted, your pictures will be safe
I hear a thundering herd of feet.... (Score:3, Insightful)
3.....
2.....
1.....
Ohhhh, settled out of court and everyone gets 1000 free picture and MMS messaging while we fix our system.
(Im calling 3 weeks to the system being fixed)
Of course that is not all. (Score:5, Informative)
Google can dig up all kinds of wonderful information [ihackstuff.com].
Problem solved! (Score:5, Funny)
Heartfelt thanks to all the people of slashdot for mounting a DDOS attack on our servers.
The O2 team.
Re:Problem solved! (Score:4, Insightful)
Are you really from the O2 Team? If so, I've got a few words for you...
Parent
Not as bad as it sounds (Score:5, Insightful)
Sure, 02 should have taken steps to avoid being indexed, but they aren't responsible for leaking the photos.
And It would be quite easy to write a script to try various combinations of 16 hex digits to try and randomly view a photo but depending on how many photos are being hosted the hit rate could be quite low.? Yeah, seeing as there are about 10^19 combinations, the hit rate would be fairly low. Did the author seriously consider this to be flaw?
Re:Not as bad as it sounds (Score:4, Insightful)
Sure, 02 should have taken steps to avoid being indexed, but they aren't responsible for leaking the photos.
Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.
From TFA, apparently these are also being picked up by Google's Toolbar.
Surely if you'd MMS'd a friend a picture message, and they'd changed to a phone without MMS without you knowing - your picture will most likely be available on O2's website. Is this right? Should it be more secured? Or don't you care about who see's your 'private' conversations?
Parent
Re: (Score:3, Interesting)
what is wrong with you people? (Score:5, Insightful)
Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to "Protect Our Children", well a good first step would be to avoid leaking customer photos.
What bullshit idea is it that pictures of children need to be removed from the world? If you look at the history of photography, pictures of children have always been an important part of street photography, portraits, and artistic photography. In the US and many other places, it's legal to take pictures of children, even without permission of their parents. There are many pictures of children on Flickr and elsewhere.
There is no evidence that pictures of children place them at risk. Can we please stop and reverse this meme that there is anything wrong with taking pictures of children?
I don't really give a damn about pictures of children per se, but demonizing legitimate and legal content is a serious threat to free speech and democracy.
Its not O2, its Google (Score:4, Interesting)
Ridiculous summary that does not seem to be based on the actual article. This sounds like an issue with Google, not with O2.
It seems that O2 posts the images with a pretty well randomized URL (16 hex digits is not too bad in most people's books). And the URLs are not linked to any publicly crawlable page on O2's web site. So how does Google reach them?
The reason (if anyone cares to FTA) that they can be googled is that according to "Ken Simpson, CEO of anti-spam company MailChannels, is that one's Google Toolbar may be configured to pass URLs that one visits to Google for indexing. "If you run Google Toolbar, it knows pages you visit," he said."
So if the article is correct, Google in its wisdom has decided to treat a URL sent to someone with the Google toolbar in a private email as a publicly reachable URL.
I find this whole story pretty non-sensicle though - presumable Google would not make "click here to reset your password" links publicly reachable?
If the article is correct then I'd be stripping off the Google toolbar as quick as I could.
Re:Its not O2, its Google (Score:4, Informative)
No robots.txt
http://mediamessaging.o2.co.uk/robots.txt [o2.co.uk]
Nothing is telling Google (or Yahoo, or ...) not to index a page somebody linked to on some other page.
Parent
Look out, it's a trap! (Score:4, Funny)
2. Watch people as they go through the photos
3. Arrest anyone who stumbles upon an underage photo (Someone please think of the children!)
4. ???
5. Profit! (Or at the very least, create a big carnival sideshow about capturing hordes of perverts in the act in order to distract attention from the massive privacy breach.)
Unfortunately no nude pics (Score:5, Funny)
I think O2 should have the decency to warn people about this but they haven't and I know that because I'm an O2 customer. Thankfully I only use my phone for calls so this doesn't affect me.
Re: (Score:3, Insightful)
This is a SERIOUS breach of privacy. This will hit mainstream media. The fact that I can hit a google link and listen to people voice attachments, look at their photos - that's too public of a mistake. I look forward to watching this unfold.
Umm... yesterday it hit the TV news that in the last 4 years the MoD has lost ~650 laptops - many containing classified information. It made the mainstream news, I'm sure people are moaning, and there'll probably be an "enquiry" which will take a few months and cost a few million eventually leading to nothing and, as always, nothing will change.
By comparison a few photos and sound-bites is nothing. This will probably be a 1/8th page article on page 32 and that'll be the end of that.
In the UK the prevalence