MMS leak gets worse for O2

NOT CONTENT with uncovering the original Google index of O2 customer MMS messages, Mailchannels has now released further information that was withheld in the site's previous article.

If you missed the start of the story, you can read it here.

Apparently, not only had URLs to MMS messages bolted to the Google index, but O2 developers had also left the barn door wide open.

The legacy MMS service consisted of an Apache/Tomcat/Jboss installation, utilising the mod_jk connector - usually in this setup, this connector allows the Apache web-server to communicate with Tomcat (a Servlet/JSP container), which is coupled a with Jboss deployment.

Using the default, minimal security installation, will allow Tomcat/Jboss system status pages to show various system information, the running JVM processes on the connector, and much more.

Unfortunately for O2, the administrators of the application had left these pages unsecured, and allowed anyone to view the currently running HTTP requests.

This gave viewers full details of currently active URLs - links that could be used to see O2 customer MMS, which included pictures, phone numbers and even videos.

Even the IP address of the client was viewable - which was probably the least of their worries.

It's thought once O2 learnt of this additional information, given by Mailchannels, the servers were turned off - something the INQ didn't miss.

Once again, this hack, having spent many years in the Enterprise Java development industry using exactly this setup, offers his services to O2.

An attempt at security by obscurity is almost forgivable, but leaving your application containers wide open certainly isn't. µ