Why the **** do you keep posting his drivel?

SM writes: Because he makes us laugh, and he doesn't swear.

As the author of the "o2mms" web application which acted as a proxy to the official O2 mms2legacy platform to present the messages in a more iPhone friendly format I'm somewhat shocked they hadn't implemented authentication on these pages.

My application did not rely on this vulnerability (it passed the authentication data along even though, clearly, it wasn't needed!) and ironically although O2 users images were also stored temporarily on my own servers - accessing them required authentication and these images could only be viewed by the intended recipient.

If I considered the potential risk in an application I built in a couple of days... how did a company the size of O2 not notice this!?!?

Revealing to all a customer's photos and their mobile phone number, surely that's breaking a data protection law?

Are any of the data laws designed to protect customers, or are they only to protect the music business?

Remember Linux code to Ban: Drashek? Here problem seems too ?many viewers, yet who really cares about people from other side of somewhere, their lucky.... people won't restrict their photos. Heres inquirer policy on submissions:

we aim to present our readers with information that may well be years in advance, with no compromise reporting, to publish editorial other sites just won't get, and with no holds barred.
Our readers are

Last word cut off is Nuts, of course. Yet This past three days show effect of Timely Editor, Michael Vaughn Magee, predictions, again, coming to fruitation. Multi Core, MultiCore O/s & implied Rapid Transition from XP, cpgpu & gpcpu, jump to massive core. 
One Problem, Wheres' Mike Magee?. theINQ Made Mistake when let that Wizzard go.

Only reason I ask is: How can I predict future without Karnack telling US Truth in Advance?

Well hope sarah gets over Non Privacy issue, everything done on computing machine is viewed for content & its possible monetary ramifications for isp, so its assumable nothing is private, just scheme to make specific names w/ passwords culpable.
drashek half Dakotian Prophet.


The URLs all 404 now. It's almost a shame.

there are only 40 mms's on google... all of those links have been posted on publicly accessible web sites, which is why google got a hold of them. 

Each mms linked uses a 64bit randomly generated key... now i don't know how many mms's they keep at any one time, but i really doubt it is more then 1 million... so that makes the chance of 'guessing' a mms key about 0.000000000005%.... and considering how (relatively) slow web requests (even when using multiple simultaneous requests) are... can you tell me how long it takes to guess 3 'right' keys?

Well... even without doing the math.. it's a very VERY long time... consider that the slowest brute force attack against a 64bit key is at least 1000x faster.. it doesn't look good.

Now, i am not saying that leaving all mms's unprotected is a good thing... but i think people should be given the option and choose for them self.. either log in every time (and remember yet another user/pass) or just accept that 1 in 18,446,744,073,709,551,616 chance someone will guess YOUR latest mms key :)

Won't somebody please think about the children?

Hi, this is the original story. This was discovered by Ken Simpson at MailChannels in Vancouver, BC.
http://blog.mailchannels.com/2008/07/o2-leaking-customer-photos.html

This should have been included in this article.

Seems a bit daft, fair enough people are peeved about the pic's being shown without permission. But's it is only a matter of time until 419er's or similar harvest the phone numbers shown and contact them with upgrade scams or similar. Plus with fact its all in the google cache too, for once i'm glad i'm a vodafone customer.

HAHAHA, brits are 'shocked' someone can see their 128 pixel pictures of their baby smiling in the camera, but they are fine with zoom cameras on every corner and in every nook and cranny, and with the government storing the kid's DNA, and with them logging every site you visit and everyone you e-mail, and with putting people in jail for 6 weeks without trial because you can't find anything to stick to them no matter how deep you dig, but MSS pictures in the open.. now that's shocking.. Oh LORDY is that shocking.

tort lawyers anyone?...

of 16 random alphanumeric characters of a web application will take much more than a life time to crack.