- Sunday, 8 November 2009
- INQ Mobile
- RSS
All you are doing is competing with your customers - Eckhard Pfeiffer, to Intel
O2 allows MMS pictures to be seen by all
THOUGHT YOUR MMS pictures to your loved ones were safe? Think again.
O2's web application that allows you to view MMS messages on the Internet instead of your non-MMS capable or enabled phone (like the Iphone), requires no authentication to view.
Whilst it's difficult for a simple user to guess the URL parameters needed, Google has no such difficulty scanning the site and indexing customers MMS messages.
Security through obscurity is as almost as insecure as no security at all.
You can view the search results here.
Informationweek first reported the story and has spoken to a security specialist who believes the URL information was possibly picked up by users running the Google toolbar.
The toolbar will store URLs that users visit, and add it to the search engine's index.
However, INQ hack Tony Dennis has contacted some of the affected punters and has uncovered some alarming information.
One victim of the O2 security leak is a young mother called Sarah who lives with her family in Leicester.
The hacked MMS message contained a picture of her young daughter when she was two years old (she is now four). Sarah told the INQUIRER, "I am completely shocked and confused. I thought messaging was private. I don't think I'll be able to send another picture message again as I don't know where it will end up. I'm absolutely disgusted."
Sarah also revealed that she doesn't even own a PC herself and was terrified at the thought that the picture could end up on Facebook - something we're all fearful of.
The same security analyst has stated that he believes that someone at the company is aware of the problem and has been trying to cover it up - people have been posting information on the problem on the public O2 forums, and these posts have subsequently vanished.
Considering the core methodology behind the 'security' - basically a randomised 16-digit alpha-numeric code, we believe it won't take very long until someone devises a method of enabling all stored MMS' to be viewed.
A brute-force attack utilising a random alpha-numeric generator which then confirms the resulting page is viewable (it otherwise errors), would allow an index of pictures to be created. No doubt that a 16-letter combination is a considerable effort, and we suspect O2's MMS servers will shortly go down under the load of enterprising hackers with little regard to efficiency.
We'd advise you start deleting your stored MMS messages now.
We've also noted that O2's web server is utilising Apache Tomcat - a Java Servlet container. Considering the levels of off-the-shelf security available for this application container, we're amazed that the development team has allowed this form of blatant intrusion.
We're also surprised that a robots.txt file hasn't been used to at least attempt a cover-up of the insecure methods put in place (though this may have been bypassed due to the Google toolbar theory).
This hack has many years experience in enterprise-Java software development, O2 you're free to contact us if you need advice.
We suspect the phone numbers on view would have received a fair few text messages so far. µ
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
tort lawyers anyone?...
of 16 random alphanumeric characters of a web application will take much more than a life time to crack.
Seems a bit daft, fair enough people are peeved about the pic's being shown without permission. But's it is only a matter of time until 419er's or similar harvest the phone numbers shown and contact them with upgrade scams or similar. Plus with fact its all in the google cache too, for once i'm glad i'm a vodafone customer.
HAHAHA, brits are 'shocked' someone can see their 128 pixel pictures of their baby smiling in the camera, but they are fine with zoom cameras on every corner and in every nook and cranny, and with the government storing the kid's DNA, and with them logging every site you visit and everyone you e-mail, and with putting people in jail for 6 weeks without trial because you can't find anything to stick to them no matter how deep you dig, but MSS pictures in the open.. now that's shocking.. Oh LORDY is that shocking.
Hi, this is the original story. This was discovered by Ken Simpson at MailChannels in Vancouver, BC.
http://blog.mailchannels.com/2008/07/o2-leaking-customer-photos.html

This should have been included in this article.
Won't somebody please think about the children?
there are only 40 mms's on google... all of those links have been posted on publicly accessible web sites, which is why google got a hold of them. 

Each mms linked uses a 64bit randomly generated key... now i don't know how many mms's they keep at any one time, but i really doubt it is more then 1 million... so that makes the chance of 'guessing' a mms key about 0.000000000005%.... and considering how (relatively) slow web requests (even when using multiple simultaneous requests) are... can you tell me how long it takes to guess 3 'right' keys?

Well... even without doing the math.. it's a very VERY long time... consider that the slowest brute force attack against a 64bit key is at least 1000x faster.. it doesn't look good.

Now, i am not saying that leaving all mms's unprotected is a good thing... but i think people should be given the option and choose for them self.. either log in every time (and remember yet another user/pass) or just accept that 1 in 18,446,744,073,709,551,616 chance someone will guess YOUR latest mms key :)
The URLs all 404 now. It's almost a shame.
Remember Linux code to Ban: Drashek? Here problem seems too ?many viewers, yet who really cares about people from other side of somewhere, their lucky.... people won't restrict their photos. Heres inquirer policy on submissions:

we aim to present our readers with information that may well be years in advance, with no compromise reporting, to publish editorial other sites just won't get, and with no holds barred.
Our readers are

Last word cut off is Nuts, of course. Yet This past three days show effect of Timely Editor, Michael Vaughn Magee, predictions, again, coming to fruitation. Multi Core, MultiCore O/s & implied Rapid Transition from XP, cpgpu & gpcpu, jump to massive core. 
One Problem, Wheres' Mike Magee?. theINQ Made Mistake when let that Wizzard go.

Only reason I ask is: How can I predict future without Karnack telling US Truth in Advance?

Well hope sarah gets over Non Privacy issue, everything done on computing machine is viewed for content & its possible monetary ramifications for isp, so its assumable nothing is private, just scheme to make specific names w/ passwords culpable.
drashek half Dakotian Prophet.

Revealing to all a customer's photos and their mobile phone number, surely that's breaking a data protection law?

Are any of the data laws designed to protect customers, or are they only to protect the music business?
As the author of the "o2mms" web application which acted as a proxy to the official O2 mms2legacy platform to present the messages in a more iPhone friendly format I'm somewhat shocked they hadn't implemented authentication on these pages.

My application did not rely on this vulnerability (it passed the authentication data along even though, clearly, it wasn't needed!) and ironically although O2 users images were also stored temporarily on my own servers - accessing them required authentication and these images could only be viewed by the intended recipient.

If I considered the potential risk in an application I built in a couple of days... how did a company the size of O2 not notice this!?!?
Why the **** do you keep posting his drivel?

SM writes: Because he makes us laugh, and he doesn't swear.