UK Mobile Operator O2 Leaks MMS Photos 154
Anonymous Hero writes "UK Mobile Operator O2 allows its customers to send Multimedia Messaging Service (MMS) photos to email recipients by way of a web interface. The URLs published by the MMS-to-email application are not authenticated, so a simple Google search reveals hundreds, if not thousands of private photos."
Reader ttul points out similar coverage of this issue at InformationWeek.
All your creativity are belong to google.com (Score:5, Insightful)
Back in the good old days you would have used safe ftp.
ftp never hurt anyone.
I do harbour dreams of being a Tor node operator.
I hear a thundering herd of feet.... (Score:3, Insightful)
3.....
2.....
1.....
Ohhhh, settled out of court and everyone gets 1000 free picture and MMS messaging while we fix our system.
(Im calling 3 weeks to the system being fixed)
Comment removed (Score:5, Insightful)
Re:Problem solved! (Score:4, Insightful)
Are you really from the O2 Team? If so, I've got a few words for you...
Not as bad as it sounds (Score:5, Insightful)
Sure, 02 should have taken steps to avoid being indexed, but they aren't responsible for leaking the photos.
And It would be quite easy to write a script to try various combinations of 16 hex digits to try and randomly view a photo but depending on how many photos are being hosted the hit rate could be quite low.? Yeah, seeing as there are about 10^19 combinations, the hit rate would be fairly low. Did the author seriously consider this to be flaw?
what is wrong with you people? (Score:5, Insightful)
Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to "Protect Our Children", well a good first step would be to avoid leaking customer photos.
What bullshit idea is it that pictures of children need to be removed from the world? If you look at the history of photography, pictures of children have always been an important part of street photography, portraits, and artistic photography. In the US and many other places, it's legal to take pictures of children, even without permission of their parents. There are many pictures of children on Flickr and elsewhere.
There is no evidence that pictures of children place them at risk. Can we please stop and reverse this meme that there is anything wrong with taking pictures of children?
I don't really give a damn about pictures of children per se, but demonizing legitimate and legal content is a serious threat to free speech and democracy.
Re:All your creativity are belong to google.com (Score:1, Insightful)
Since MMS can be sent to email directly from most handsets, does this actually affect anyone?
Re:Not as bad as it sounds (Score:4, Insightful)
Sure, 02 should have taken steps to avoid being indexed, but they aren't responsible for leaking the photos.
Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.
From TFA, apparently these are also being picked up by Google's Toolbar.
Surely if you'd MMS'd a friend a picture message, and they'd changed to a phone without MMS without you knowing - your picture will most likely be available on O2's website. Is this right? Should it be more secured? Or don't you care about who see's your 'private' conversations?
Re:Watch for the fallout (Score:3, Insightful)
This is a SERIOUS breach of privacy. This will hit mainstream media. The fact that I can hit a google link and listen to people voice attachments, look at their photos - that's too public of a mistake. I look forward to watching this unfold.
Umm... yesterday it hit the TV news that in the last 4 years the MoD has lost ~650 laptops - many containing classified information. It made the mainstream news, I'm sure people are moaning, and there'll probably be an "enquiry" which will take a few months and cost a few million eventually leading to nothing and, as always, nothing will change.
By comparison a few photos and sound-bites is nothing. This will probably be a 1/8th page article on page 32 and that'll be the end of that.
In the UK the prevalence of data collection is so great and the ineptitude of governments and companies is so absolute that this stuff is just commonplace now. Even if this story gets picked up anywhere it'll be overshadowed within days by a bigger data breach fuck-up somewhere else.
Re:All your creativity are belong to google.com (Score:2, Insightful)
Aw, you gotta be kidding! You are not a sys admin, I suppose? ftp is a fucked up protocol (passive ftp? active ftp? gimme a break) that was a nightmare to manage, specially if you had firewalls.
Re:Its not O2, its Google (Score:3, Insightful)
You missed a key point in the TFA:
I looked at the URL in the e-mail and found the only requirement was a 16 digit hex number. [Update: A few readers pointed out that a 64-bit key results in a HUGE number of possibilities to guess 10^19. However, as I can obtain the keys via another security hole no guessing is required - I'm not going to release that information yet as I'd like O2 to fix this]. As these web pages were wide open to the internet, not requiring any authentication a very small handful were indexed by Google. I was able to craft a Google search that results in some matches to show an example of how this is an insecure method of hosting:
In other words, the stuff that's on google is merely the tip of the iceberg. He can start randomly plucking valid hex codes out of thin air and start viewing random people's random MMS's. The google search is just a "proof of concept" if you will, of the larger flaw.
This could be, of course, untrue -- as we really only have his word to take for it that there is some "pattern" in picking valid hex codes.
Re:All your creativity are belong to google.com (Score:1, Insightful)
Except for the extremely insecure daemon software that has allowed thousands, if not many more, servers to be rooted. And then there are the completely insane default security settings of many FTP servers (IIS anyone?) of yore.
Also, FTP is difficult to firewall properly.
There have even been exploitable bugs in Linux FTP conntrack module.
Please, never ever associate FTP with good security. Use SFTP or HTTPS.
Re:Not as bad as it sounds (Score:2, Insightful)
Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.
I'd like to clarify this a bit to avoid that people think of the 16-digit code itself as insecure.
Any site built with performance in mind has a similar setup: you authenticate yourself through the main site, but the content is on a delivery network. This network serves static files and by design doesn't handle the dynamics of authentication (cookies, HTTP auth).
The idea is that using hard-to-guess ID tokens gives enough privacy: even if you were to guess or systematically scan them, you would get random content at best - you wouldn't have any information about the uploader or the context.
Users with access to the content can of course republish it in ways that bypass the authentication, but that's true for all on-line content: once access has been granted to an authenticatied and authorised user, security becomes a matter of trust.
The use of such IDs is not 100% secure but it's a good trade-off because ordinarily you have to be authenticated before you learn a specific ID.
The real problem with the O2 site is the lack of authentication on the pages referencing the hard-to-guess IDs, not the use of IDs themselves.
(The robots.txt omission isn't the real problem either, of course.)