UK Mobile Operator O2 Leaks MMS Photos

Anonymous Hero writes "UK Mobile Operator O2 allows its customers to send Multimedia Messaging Service (MMS) photos to email recipients by way of a web interface. The URLs published by the MMS-to-email application are not authenticated, so a simple Google search reveals hundreds, if not thousands of private photos." Reader ttul points out similar coverage of this issue at InformationWeek.

Re:Not as bad as it sounds

[daviddcawley]

I'm the author of the post. It's true that there are 10^19 combinations if the 64-bit "keys" are secure and generated with a good PRNG. As I'm able to access the "keys" (without using any type of web based search) directly from O2 due to a security hole, it entirely circumvents the URL based authentication. I don't even need to guess any keys! I will update the blog next week with details of the full attack but I'd like to give O2 some time to fix this.

Its not O2, its Google

[plierhead]

Ridiculous summary that does not seem to be based on the actual article. This sounds like an issue with Google, not with O2.

It seems that O2 posts the images with a pretty well randomized URL (16 hex digits is not too bad in most people's books). And the URLs are not linked to any publicly crawlable page on O2's web site. So how does Google reach them?

The reason (if anyone cares to FTA) that they can be googled is that according to "Ken Simpson, CEO of anti-spam company MailChannels, is that one's Google Toolbar may be configured to pass URLs that one visits to Google for indexing. "If you run Google Toolbar, it knows pages you visit," he said."

So if the article is correct, Google in its wisdom has decided to treat a URL sent to someone with the Google toolbar in a private email as a publicly reachable URL.

I find this whole story pretty non-sensicle though - presumable Google would not make "click here to reset your password" links publicly reachable?

If the article is correct then I'd be stripping off the Google toolbar as quick as I could.

Re:Not as bad as it sounds

[srjh]

Surely if you'd MMS'd a friend a picture message, and they'd changed to a phone without MMS without you knowing - your picture will most likely be available on O2's website. Is this right? Should it be more secured? Or don't you care about who see's your 'private' conversations?

Yes, it probably should be more secure. Not allowing the pages to be indexed by Google would be a good start. But as it stands, unless there are further flaws I'm not aware of, you still need the 64 bit key to intercept the message. Unless the person I've sent a private message to makes that key public, the message should remain private.

On the other hand, I'm not under any delusions that privacy exists for SMS/MMS messages here in Australia, so I wouldn't send sensitive information through SMS/MMS in the first place. Not that it excuses any mistakes, I just have low expectations to begin with.