Security Hole in Morpheus

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)

upside is

[NeMon'ess]

Now troubleshooting any computer with Morpheus over the phone just became much easier.

Re:here is how to do it

[rodbegbie]

That page doesn't describe the hack -- You can only access files the user has chosen to make available with it.

rOD.

This is not a big deal!

[FreakyGeeky]

This so-called hole only allows access to the folder of files the Morpheus user specifically designated for sharing.

If they're not sharing their "My Documents" folder, hackers can't download the files contained in that folder.

The same goes for a user's Quake 3 directory, Half-Life folder, SAM database, wifey porno pics, etc. If the folders containing these files are not shared through Morpheus, THIS HACK WILL NOT ALLOW ACCESS TO THESE FILES.

Try it on your own machine and you'll see what I mean.

Re:Not A Hack

"i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. "

They did. It's called Morpheus. But it's not quite as crude.

Re:fastrack

[J'raxis]

Heh, this network is pretty open after all, now isnt it? Just connect to someones address on port 1214 and you get a nice HTML table of all their shared* files. Proceed to download.

* Yes, its just their SHARED FILES. As about 50,214,678.5 people have already said. All this thing is doing is dumping an index of their SHARED FILES over an HTTP connection on port 1214.