UK Mobile Operator O2 Leaks MMS Photos

Anonymous Hero writes "UK Mobile Operator O2 allows its customers to send Multimedia Messaging Service (MMS) photos to email recipients by way of a web interface. The URLs published by the MMS-to-email application are not authenticated, so a simple Google search reveals hundreds, if not thousands of private photos." Reader ttul points out similar coverage of this issue at InformationWeek.

Tomorrow's news

Under pressure from the NY attorney general, major telecoms have agreed to permanently stop offering MMS service.

Re:Tomorrow's news

Under pressure from the NY attorney general, major telecoms have agreed to permanently stop offering MMS service.

I never realised the NY Attorney General had such power over British phone operators.

Re:Tomorrow's news

[duguk]

Probably, O2 have already disabled access to email for non-contract users.

I tried to post this on /. the other day but hasn't been accepted; being as anyone on O2 is probably reading this article, I'll post it here. "It's been reported in a number of places that UK Mobile Phone company, O2 are blocking some internet ports for some customers.

It appears that although Contract customers on the mobile network are fully able to access email and SSH via their mobile phone, yet customers subscribed through 'Pay as you Go' (PAYG; a non-subscription service, paid up in front as credit), are only given WAP access, which only provides very basic HTTP access.

Essentially this means that anyone with a pay-in-front service agreement won't be able to access their email or use anything apart from basic HTTP, even though O2 are now selling and advertising the new Apple iPhone on PAYG and stating it will support "all the same features as contract customers".

It's been reported that on contacting O2, they state its a technical problem and one that can't be resolved, yet it's also been mentioned that their own O2 POP3 mail service does work, but access to any other service doesn't.

Are O2 right to restrict access for customers not on a fixed contract? Does your mobile phone company do the same thing? And are O2 advertising unfairly?"

More information here.

Re:Tomorrow's news

[William+Robinson]

Imagine, Judge being presented his own private MMS as evidence.

Reminds me of a joke:

A small town prosecuting attorney called his first witness to the stand in a trial -- a grandmotherly, elderly woman. He approached her and asked, "Mrs. Jones, do you know me?"

She responded, "Why, yes, I do know you Mr. Williams. I've known you since you were a young boy. And frankly, you've been a big disappointment to me. You lie, you cheat on your wife, you manipulate people and talk about them behind their backs. You think you're a rising big shot when you haven't the brains to realize you never will amount to anything more than a two-bit paper pusher. Yes, I know you."

The lawyer was stunned. Not knowing what else to do he pointed across the room and asked, "Mrs. Williams, do you know the defense attorney?"

She again replied, "Why, yes I do. I've known Mr. Bradley since he was a youngster, too. I used to baby-sit him for his parents. And he, too, has been a real disappointment to me. He's lazy, bigoted, he has a drinking problem. The man can't build a normal relationship with anyone and his law practice is one of the shoddiest in the entire state. Yes, I know him."

At this point, the judge rapped the courtroom to silence and called both counselors to the bench. In a very quiet voice, he said with menace, "If either of you asks her if she knows me, you'll be in jail for contempt of court!"

Re:Tomorrow's news

[dotancohen]

I never realised the NY Attorney General had such power over British phone operators.

Only google has:
http://www.google.com/search?hl=en&q=inurl:mms2legacy&start=20&sa=N&filter=0

Re:Tomorrow's news

[Ilgaz]

I bet Apple apologisers will party like... "See, how future ready iPhone is?"

Re:Tomorrow's news

[RDW]

'Essentially this means that anyone with a pay-in-front service agreement won't be able to access their email or use anything apart from basic HTTP, even though O2 are now selling and advertising the new Apple iPhone on PAYG and stating it will support "all the same features as contract customers"'

They aren't selling a PAYG iPhone yet, and are now only saying it will be available 'in time for Christmas':

http://www.reghardware.co.uk/2008/07/07/cw_payg_iphone_launch

Re:Tomorrow's news

[Tony+Hoyle]

You can stick in a PayG SIM in a 2G iphone and it'll work fine.. it's one of the things O2 recommend you do with your old iphone when you upgrade to the 3G.

The story is *total* BS though. Email works just fine on the iphone over PayG, as does everything else. They even allow you to get unlimited internet and wifi as a package for £10/mo if you want.

Re:Tomorrow's news

[MightyYar]

I'm sorry?

Re:Tomorrow's news

[jez9999]

customers subscribed through 'Pay as you Go' (PAYG; a non-subscription service, paid up in front as credit), are only given WAP access, which only provides very basic HTTP access.

WAP isn't HTTP at all, is it?

Re:Tomorrow's news

[Atti+K.]

Under pressure from the NY attorney general, major telecoms have agreed to permanently stop offering MMS service.

So what, anybody actually used MMS?

Re:Tomorrow's news

[oyningen]

It lacks such basic functionality as MMS. So this isn't an issue for iPhone users, since they can't send or recieve MMS at all. Hence llgaz' jest :)

Re:Tomorrow's news

[MightyYar]

My joke wasn't very funny I guess. He said "Apple apologisers" instead of apologists and so I thought I would apologize... :)

It drives me crazy that I can MMS my mother's iPhone!

Re:Tomorrow's news

[oyningen]

Aah, English isn't my native language, so I failed to catch the nuances :)

Re:Tomorrow's news

[old+and+new+again]

google search still works and find ugly pictures of dirty babies and stuff, no couples fucking or girl showing off, boring

Re:Tomorrow's news

[mini+me]

Yes, WAP is delivered over HTTP. WAP, however, isn't HTML.

Re:Tomorrow's news

[riceboy50]

It's not much more handy than emailing photos nowadays with the advent of more email-friendly phones—but a couple years ago sure.

Re:Tomorrow's news

[duguk]

How can you tell if it isn't out yet?

If you read the article, its not about the iPhone at all - but Pay As You Go customers cannot use eMail on a normal handset. We were told by O2 that the iPhone would have the same problem on PAYG.

If it works, fine, but why are O2 saying its a 'technicial limitation' that email cannot be used on a Pay-As-You-Go phone, when it can on an iPhone?

I'd recommend you go and try this with a private mail server and your own phone (non-iPhone), then come back and tell me if the story is BS. If you can get it to work, then I owe you one - if you can't, you're just BSing yourself, sir.

Re:Tomorrow's news

Hah, the last page is the cookie, finally there's somebody topless!

Re:Tomorrow's news

[caluml]

-1, Retarded unfunny Luddite.

All your creativity are belong to google.com

[AHuxley]

I blame web 2.0 and young people.
Back in the good old days you would have used safe ftp.
ftp never hurt anyone.
I do harbour dreams of being a Tor node operator.

Re:All your creativity are belong to google.com

Since MMS can be sent to email directly from most handsets, does this actually affect anyone?

Re:All your creativity are belong to google.com

[duguk]

MMS can't be sent directly to email on O2, and as far as I know, not at ALL in the UK.

Even so, eMail doesn't work on Pay as you Go on O2.

So yeah, it does affect customers. Anyone who sends an MMS to a non-MMS capable phone (presumably if the phone can't do MMS, it probably can't do eMail either), the MMS is posted to O2's website, and that's where the problem starts.

Did you bother to read the article?

Re:All your creativity are belong to google.com

Aw, you gotta be kidding! You are not a sys admin, I suppose? ftp is a fucked up protocol (passive ftp? active ftp? gimme a break) that was a nightmare to manage, specially if you had firewalls.

Re:All your creativity are belong to google.com

Except for the extremely insecure daemon software that has allowed thousands, if not many more, servers to be rooted. And then there are the completely insane default security settings of many FTP servers (IIS anyone?) of yore.

Also, FTP is difficult to firewall properly.

There have even been exploitable bugs in Linux FTP conntrack module.

Please, never ever associate FTP with good security. Use SFTP or HTTPS.

Re:All your creativity are belong to google.com

[Tony+Hoyle]

Even so, eMail doesn't work on Pay as you Go on O2.

Total BS. That site is making shit up to get advertising hits. It's not even believable shit this time around, as anyone with an iphone on PayG will tell you.

Re:All your creativity are belong to google.com

UK citizen here. My old Virgin Mobile T610 and my current T-Mobile W810 can both send MMS to an email address. O2 however, as you correctly state, disable this feature on at least some of their handsets

Re:All your creativity are belong to google.com

[techtoad]

Sorry, sir, you may be right for the iPhone, but have you actually tried this with a supported phone on O2 PAYG? It doesn't work and O2 confirms that it doesn't.

Re:All your creativity are belong to google.com

[Tony+Hoyle]

The article states that it doesn't work for the *iphone* on PayG. O2 have never sold full internet access over PayG for other phones and have never claimed to - only web access.

This article totally and utterly false, and is *provably* false simply by registering a PayG SIM in an iphone.

Re:All your creativity are belong to google.com

[vmlemon]

A few days ago, I managed to send an MMS message to an e-mail address without any issues with Orange's UK prepaid services. Although you can't actually do the reverse (i.e. send an e-mail in reply to the "morphed" MMS message).

Re:All your creativity are belong to google.com

[eneville]

> Aw, you gotta be kidding! You are not a sys admin,
> I suppose? ftp is a fucked up protocol (passive
> ftp? active ftp? gimme a break) that was a
> nightmare to manage, specially if you had
> firewalls.

It's only a problem if you don't know how to configure it. Really active FTP was the only problem if you had a NAT network, otherwise there's no problems.

Re:All your creativity are belong to google.com

[Hadryon]

Here's the problem....ANYONE who checks this out will get the same results. You see, Google cached the pages, even after O2 cut the server. As a result, I have a series of phone numbers attached to pictures of various kids, one couple who apparently is biking all the way around Great Britain, and some nice lady who sent someone else a picture of herself. I stopped at that point. Before you call someone a liar, check their evidence.

Re:All your creativity are belong to google.com

[duguk]

Once again, the article doesn't mention that we tested with an iPhone, just a Windows Mobile device. We were told by O2 that the iPhone would be exactly the same.

And yes, they have claimed web and email access for PAYG, non-iPhone users. Read the article.

Re:All your creativity are belong to google.com

[XCondE]

Are you joking?

FTP is a pain to manage on your firewalls because it uses different ports for control and data packets. It isn't any faster than http or netcat. And it uses plain-text authentication.

You do mention "safe ftp" and if by that you meant secure-ftp or sftp, then you have a point.

Even then, if you're only sending content one-way (download only instead of upload), stick to http/https and be done with it. Forget FTP. Really.

eh?

hundreds or thousands..... or maybe 40? someone can't count very high before jumping to 1000!

Re:eh?

[dominious]

i think o2 is now aware of the leakage and are removing the media. i ve searched google 5 minutes ago and got about 40 but now i get only 2 results. also the server seems to be down.

Re:eh?

[dominious]

they give about a month before the media expires, this is from one of the pictures:

Date: 19/06/2008 18:53
Expires: 19/07/2008 18:53

Re:eh?

[duguk]

I think you'll find that there's still the same number as yesterday - I'm the DugUK as mentioned in the InformationWeek article.

I posted the comment in the O2 Forums, and they not only deleted my comments, they disabled my account too! I'm glad people are finally beginning to realise this is a problem and can't just be hidden up.

For my next trick, I'd like everyone to also know that EMAIL DOES NOT WORK ON PAY AS YOU GO on O2! They've blocked port access.

Thanks!

Re:eh?

[Slorv]

It works fine over here. 47 results. You get images and atleast one wav-file.
I must try sending an image thru my phone service (Telia) to my non-MMS phone and see how those URLs looks like.
Chances are that the MMS downloading service is bought in from some company that has their system setup more or less identical for anyone using it.

Re:eh?

[duguk]

O2 Customer Forums - Luckily I posted this after everyone went home, so they didn't get to delete my post or account this time.

Re:eh?

[amRadioHed]

I still get 40 results. And google isn't real time, if the pictures were taken down from the servers that wouldn't change the search results right away.

Re:eh?

[Tony+Hoyle]

For my next trick, I'd like everyone to also know that EMAIL DOES NOT WORK ON PAY AS YOU GO on O2! They've blocked port access.

So it's you making this BS up? You've already been called on it on the O2 forums and it's not surprising they deleted your account.

Email works *perfectly* on pay as you go. As you damned well know. Troll.

Re:eh?

[Goaway]

Google can't index them if it can't see links to them. So there are probably just the tiny subset of images that ended up linked from publicly-accessible web pages that Google crawled.

Quite a storm in a teacup.

Re:eh?

[Mozk]

Those are only the ones that Google knows of (as in, the ones that are linked to somewhere on the Internet). As the article mentions:

The code that protects them is a 16-digit hexadecimal number and many people are capable of writing a script to try every code combination.

Which could be said of any system that uses hashes in URLs for anything. Of course, I'm not sure how long it would take accessing thousands of sequentially increased URLs in a short period of time before your IP were blocked...

Re:eh?

[efalk]

I got similar results when I tried it. Less than fifty hits, mostly of the same family. I find it very easy to believe that someone just posted links to photos in their blog or something, which Google would have picked up. No evidence here that Google is crawling the O2 site or that O2 is leaking photos; just that people are deep-linking to it. What else have you got?

Re:eh?

[Dan541]

Because Hundres of Thousands is more impressive than 40.

Re:eh?

[duguk]

It doesn't work on a non-iPhone on Pay As You Go. I have a recording of O2's Customer Service stating it won't work because of the APN it uses.

The article only mentions the iPhone because that's what O2 told us - it'll have the same problems as any other non-contract users.

If you can show me how to get email working on Pay As You Go, (and not on the iPhone) then I'd very much appreciate it.

Disappointing

[LighterShadeOfBlack]

Arr, not a looker in the bunch!

Re:Disappointing

[GradiusCVK]

Funny it includes the sender's phone number... oughta MMS everyone back and tell them to start taking some photos of hot chicks.
Presents an interesting new way for us Slashdotters to meet girls...

Re:Disappointing

[KGIII]

I think we melted the poor O2 servers. I'm now getting 503 errors.

Re:Disappointing

[mrbluze]

Arr, not a looker in the bunch!

Yeah, mostly pictures of bare-chested blokes. Meh! But OTOH I think there are many geeks out there who might find this strangely alluring.

Re:Disappointing

Those with iPhones?

Re:Disappointing

[KGIII]

I am guessing you were joking but, if you aren't, that'd be a wee bit creepy.

Re:Disappointing

[risinganger]

I think though it'd be a great way to hammer home the point to non-tech O2 customers though. Imagine the outrage of all those customers after they've recieved hundreds of sms or mms messages from people they've never heard of :-p

Re:Disappointing

[KGIII]

Ah the memories. You reminded me of the days of yore when malware was authored with much that same intent in mind. Touché.

Re:Disappointing

[nog_lorp]

Watch out, they are making laws against this "cyber-stalking" stuff. Crazy times we live in!

Re:Disappointing

[Joebert]

Look on the bright side, you got there before the goat.cx guy found out about it.

no problem

Right now the web is being slashdotted, your pictures will be safe

Re:no problem

Right now the web is being slashdotted, your pictures will be safe

No they are not. Google still has them in cache

I hear a thundering herd of feet....

[tecker]

Cue lawsuit over this in

3.....

2.....

1.....

Ohhhh, settled out of court and everyone gets 1000 free picture and MMS messaging while we fix our system.



(Im calling 3 weeks to the system being fixed)

Re:I hear a thundering herd of feet....

[tecker]

Oh come on. I get that all made then realize that its not 1000s its 42 links. So much for the lawsuit. (Someone might try though)

Re:I hear a thundering herd of feet....

[GradiusCVK]

settled out of court and everyone gets 1000 free picture and MMS messaging while we fix our system.

And $100 million in attorney's fees for those representing the class action suit.

Re:I hear a thundering herd of feet....

Except for the clause in the user contract preventing class action lawsuits, and requiring binding arbitration.

Or do they do things differently in the UK than they do in america?

Re:I hear a thundering herd of feet....

[Nossie]

IANAL but, In the UK they cant write you out of something you are legally entitled to....

question is, are we legally entitled to a class action? hmmmm

Re:I hear a thundering herd of feet....

[Tony+Hoyle]

The information commissioner has the power to levy punitive fines for something like this. As does ofcom, in fact. No need for a lawsuit.

Of course they'll probably only act if this hits the newspapers.. such is the way politics works, sigh.

Hmmmmm

[bherman]

And here we were all along bashing the iPhone for not including MMS.

I guess maybe they were right :)

Re:Hmmmmm

[duguk]

Don't worry - the iPhone won't even support eMail in the UK on O2 PAYG.

Re:Hmmmmm

Don't worry - the iPhone won't even support eMail in the UK on O2 PAYG.

That's complete crap. He's using the wrong GPRS bundle. o2's £7.50 hasn't worked in years, but using the new iPhone specific bundle works fine!

http://customerforum.o2.co.uk/viewtopic.php?t=3527

I can confirm SSL Imap to gmail works, along with HTTPS. Blowing that article to bits.

Re:Hmmmmm

[duguk]

It doesn't work on non-iPhone phones, i can't confirm or deny that it works on iPhones - but isn't it a bit unfair to treat customers differently based on their handset?

Also, have you tried this with non-O2 mail servers? With IMAP? I'd love to know how you can get this to work on 'normal' handsets, because O2 say its a 'technical limitation'.

Re:Hmmmmm

[duguk]

Wait? Did you say GMAIL? Yeah, O2 confirms that works, but OTHER MAIL SERVERS ARE BLOCKED!

Re:Hmmmmm

iPhone doesn't do MMS either, amazingly.

Re:Hmmmmm

[Tony+Hoyle]

Shut up with the BS.

Even my own home email server works.

Re:Hmmmmm

[Tony+Hoyle]

When you register as an iphone user on your payg sim they unblock everything, as well as activating edge. It's also a good idea to get the £10/mo unlimited data/wifi package. This puts you on the same level as a contract iphone customer.

Re:Hmmmmm

Is this on PAYG on a non-iPhone?

O2 says it doesn't work so if you've got it to work, me and a LOT of other people would love to know how!

Re:Hmmmmm

[duguk]

The article doesn't mention about iPhones. That's just what O2 said; it'll have the same problem with email on PAYG. It still doesn't work on non-iPhones like I said.

I've updated the article as you've been so vocal on this matter.

Re:Hmmmmm

[duguk]

It doesn't work on non-iPhone phones,

So if I don't have an iPhone I can't have my email?

Seems that's what I've been saying all along, Tony!

Well that's just great

[Don_dumb]

Yesterday I changed to O2. I could have just as easily changed to a different network.

Oh well, it could be worse - I could have stayed with Virgin.

Of course that is not all.

[lantastik]

Google can dig up all kinds of wonderful information.

What if I take a picture of copyrighted material..

And mail it to my other phone?

Will O2 'make it available' ?

Problem solved!

[Joce640k]

Heartfelt thanks to all the people of slashdot for mounting a DDOS attack on our servers.

The O2 team.

Re:Problem solved!

[duguk]

At least it might get O2's attention! All the action they've taken so far is deleting forum posts from their own forums and ignoring any email or telephone complaints.

Are you really from the O2 Team? If so, I've got a few words for you...

Re:Problem solved!

[caluml]

Including your sig, for those with it turned off:

Are you really from the O2 Team? If so, I've got a few words for you...
--
I am the Monkeyboi! - Colchester Webdesign

I wonder what they'll make of them?

Re:What if I take a picture of copyrighted materia

Yes, but only if you message it to a non-mms enabled phone. rtfa you twonk!

Not as bad as it sounds

[srjh]

Try searching for each of those 16-character IDs, and you'll see that each has already been posted publically, and most seem to be from just the one user. Which makes sense, if Google managed to index them in the first place.

Sure, 02 should have taken steps to avoid being indexed, but they aren't responsible for leaking the photos.

And It would be quite easy to write a script to try various combinations of 16 hex digits to try and randomly view a photo but depending on how many photos are being hosted the hit rate could be quite low.? Yeah, seeing as there are about 10^19 combinations, the hit rate would be fairly low. Did the author seriously consider this to be flaw?

Re:Not as bad as it sounds

[duguk]

Sure, 02 should have taken steps to avoid being indexed, but they aren't responsible for leaking the photos.

Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.

From TFA, apparently these are also being picked up by Google's Toolbar.

Surely if you'd MMS'd a friend a picture message, and they'd changed to a phone without MMS without you knowing - your picture will most likely be available on O2's website. Is this right? Should it be more secured? Or don't you care about who see's your 'private' conversations?

Re:Not as bad as it sounds

[daviddcawley]

I'm the author of the post. It's true that there are 10^19 combinations if the 64-bit "keys" are secure and generated with a good PRNG. As I'm able to access the "keys" (without using any type of web based search) directly from O2 due to a security hole, it entirely circumvents the URL based authentication. I don't even need to guess any keys! I will update the blog next week with details of the full attack but I'd like to give O2 some time to fix this.

Re:Not as bad as it sounds

[srjh]

Surely if you'd MMS'd a friend a picture message, and they'd changed to a phone without MMS without you knowing - your picture will most likely be available on O2's website. Is this right? Should it be more secured? Or don't you care about who see's your 'private' conversations?

Yes, it probably should be more secure. Not allowing the pages to be indexed by Google would be a good start. But as it stands, unless there are further flaws I'm not aware of, you still need the 64 bit key to intercept the message. Unless the person I've sent a private message to makes that key public, the message should remain private.

On the other hand, I'm not under any delusions that privacy exists for SMS/MMS messages here in Australia, so I wouldn't send sensitive information through SMS/MMS in the first place. Not that it excuses any mistakes, I just have low expectations to begin with.

Re:Not as bad as it sounds

Seriously? How many digits would you expect to be in a phone number + PIN?

Hey, did you know that you can log in to almost any site as any user simply by entering a bunch of letters and numbers into the login form?

Re:Not as bad as it sounds

[Gandalf]

Their site is not suitabled secured, usually it would require a mobile number and pin code but this 16-digit code circumnavigates this requirement.

I'd like to clarify this a bit to avoid that people think of the 16-digit code itself as insecure.

Any site built with performance in mind has a similar setup: you authenticate yourself through the main site, but the content is on a delivery network. This network serves static files and by design doesn't handle the dynamics of authentication (cookies, HTTP auth).

The idea is that using hard-to-guess ID tokens gives enough privacy: even if you were to guess or systematically scan them, you would get random content at best - you wouldn't have any information about the uploader or the context.

Users with access to the content can of course republish it in ways that bypass the authentication, but that's true for all on-line content: once access has been granted to an authenticatied and authorised user, security becomes a matter of trust.

The use of such IDs is not 100% secure but it's a good trade-off because ordinarily you have to be authenticated before you learn a specific ID.

The real problem with the O2 site is the lack of authentication on the pages referencing the hard-to-guess IDs, not the use of IDs themselves.

(The robots.txt omission isn't the real problem either, of course.)

what is wrong with you people?

[speedtux]

Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to "Protect Our Children", well a good first step would be to avoid leaking customer photos.

What bullshit idea is it that pictures of children need to be removed from the world? If you look at the history of photography, pictures of children have always been an important part of street photography, portraits, and artistic photography. In the US and many other places, it's legal to take pictures of children, even without permission of their parents. There are many pictures of children on Flickr and elsewhere.

There is no evidence that pictures of children place them at risk. Can we please stop and reverse this meme that there is anything wrong with taking pictures of children?

I don't really give a damn about pictures of children per se, but demonizing legitimate and legal content is a serious threat to free speech and democracy.

Re:what is wrong with you people?

[duguk]

So if you'd sent a picture message to a friend and it appeared in Google's listings, with your phone number and the text you wrote - you wouldn't care?

This isn't about the children, its about a mobile phone operator having an insecure website.

Re:what is wrong with you people?

[Tony+Hoyle]

It'd be your fault for posting the URL on a public forum.

Google can *only* index what it sees. Every single one of those images has been posted somewhere that google can index them.. ie. publically - that's the only way they can be in the search results.

Re:what is wrong with you people?

[giorgiofr]

It's not the only way (think referrer) and anyway it's very shoddy security... Once you decide that users need to authenticate to access some content, you lock ALL such content and not just the gateway to it behind your auth system. Arcane URLs are not sufficient unless you want extremely low security.

Re:what is wrong with you people?

[jez9999]

A picture of a child could cause certain men to be reminded of children when they'd forgotten before, and tempted into molesting them. Eliminating pictures of children is therefore a commendable activity.

*ducks* :-)

Re:what is wrong with you people?

[speedtux]

This isn't about the children

The part I responded to is very much about children.

its about a mobile phone operator having an insecure website.

That's bullshit, too, but that's a separate issue.

Re:what is wrong with you people?

[speedtux]

Once you decide that users need to authenticate to access some content

And who is supposed to authenticate? Do you even understand what this service does?

Can't be true

[agro1986]

This is too stupid that it can't be true. It sounds too much like crapping up.

in other news...

...they use...
Apache/2.0.52 (Unix) DAV/2 mod_ssl/2.0.52 OpenSSL/0.9.7e mod_jk/1.2.21 Server at mediamessaging.o2.co.uk Port 80 ...which is supposedly a 'vulnerable' version of OpenSSL

the way it works

actually, in Italy you can send mms via e-mail since a long long time. the mms is just converted server-side. if the recipient doesn't have a mms enabled phone Ã, he will receive a code to put in a form accessible only to REGISTERED USERS on the operator's website. I don't see any reason for bashing web 2.0 and things like that. I only see bad coders.

slashdoted

wow, seems their servers can't cope with it ;P

insider perspective

[justleavealonemmmkay]

UK Mobile Operator O2 allows its customers to send Multimedia Messaging Service (MMS) photos to email recipients by way of a web interface

Opcos force you to these horrid web interfaces because they want to avoid becoming mere bitpipes and want to keep control over what you can / cannot send by email over your connection. Too bad for your MMS to blog dreams, which would be so easily realizable with REAL MMS-to-Email.

Re:insider perspective

[Gandalf]

Try a more direct approach: e-mail to blog. MMS is expensive, if you're going to post anywhere near twenty pictures a month from your phone you'll probably be better of with a plan that allows regular e-mail - for this task alone.

The devices are available and affordable, the service plans are available and affordable and plenty of affordable software is available.

There is even software (Shozu, Nokia Share Online) to allow all this directly over HTTP, removing even another step. On top of that, on smartphones these services even integrate into the phone interfaces to allow one-click uploads directly after taking the picture.

(I ended up writing my own e-mail solution because I don't want to depend on third-party hosting site and hookinto my own software. But it's really not that difficult to check an IMAP box for e-mail, fetch picture attachments and store them in a CMS.)

Its not O2, its Google

[plierhead]

Ridiculous summary that does not seem to be based on the actual article. This sounds like an issue with Google, not with O2.

It seems that O2 posts the images with a pretty well randomized URL (16 hex digits is not too bad in most people's books). And the URLs are not linked to any publicly crawlable page on O2's web site. So how does Google reach them?

The reason (if anyone cares to FTA) that they can be googled is that according to "Ken Simpson, CEO of anti-spam company MailChannels, is that one's Google Toolbar may be configured to pass URLs that one visits to Google for indexing. "If you run Google Toolbar, it knows pages you visit," he said."

So if the article is correct, Google in its wisdom has decided to treat a URL sent to someone with the Google toolbar in a private email as a publicly reachable URL.

I find this whole story pretty non-sensicle though - presumable Google would not make "click here to reset your password" links publicly reachable?

If the article is correct then I'd be stripping off the Google toolbar as quick as I could.

Re:Its not O2, its Google

[james+b]

It's a bit out of date, but this Matt Cutts blog entry claims that the toolbar doesn't feed URLs into the web search index.

Re:Its not O2, its Google

If the article is correct then I'd be stripping off the Google toolbar as quick as I could.

It's not correct, though. As has been pointed out there are less than 50 of the images indexed in Google, and they appear to have been posted publicly elsewhere.

There's no evidence that the Google toolbar is involved at all.

So it's a complete non-issue, just FUD by someone with an axe to grind or a desire to attract eyeballs to their blog. Business as usual here.

Re:Its not O2, its Google

[Cyberllama]

You missed a key point in the TFA:

I looked at the URL in the e-mail and found the only requirement was a 16 digit hex number. [Update: A few readers pointed out that a 64-bit key results in a HUGE number of possibilities to guess 10^19. However, as I can obtain the keys via another security hole no guessing is required - I'm not going to release that information yet as I'd like O2 to fix this]. As these web pages were wide open to the internet, not requiring any authentication a very small handful were indexed by Google. I was able to craft a Google search that results in some matches to show an example of how this is an insecure method of hosting:

In other words, the stuff that's on google is merely the tip of the iceberg. He can start randomly plucking valid hex codes out of thin air and start viewing random people's random MMS's. The google search is just a "proof of concept" if you will, of the larger flaw.

This could be, of course, untrue -- as we really only have his word to take for it that there is some "pattern" in picking valid hex codes.

Re:Its not O2, its Google

[Bogtha]

No, this isn't an issue with Google. A search engine's job is to index things it finds on the web. If you put something on the web without any kind of password protection, then don't be surprised if it ends up being indexed by search engines. Just because you don't consider it an "official" part of your website because there isn't a link to it on your homepage, it doesn't mean that's true.

Incompetent web developers have been complaining about this for as long as search engines have been around. It's not an issue unique to the Google web toolbar either. You can get tripped up, for example, if a "secret" page linked elsewhere. The URL of the secret page gets sent as a Referer header, and may end up appearing in a log summary, which may or may not be public.

Bottom line: if you want something to be secret, a randomised URL is not enough. You need to actually put some kind of password protection on it.

Re:Its not O2, its Google

[El_Muerte_TDS]

No robots.txt
http://mediamessaging.o2.co.uk/robots.txt

Nothing is telling Google (or Yahoo, or ...) not to index a page somebody linked to on some other page.

Re:Its not O2, its Google

If the article is correct then I'd be stripping off the Google toolbar as quick as I could.

Except it's not: http://www.mattcutts.com/blog/toolbar-indexing-debunk-post/

Re:Its not O2, its Google

[Gandalf]

No, it's not Google's fault.

O2 is responsible for ensuring that their pages are authenticated. Regardless of how a URL is known to Google, it should be free to crawl it. There are only two ways Google can know whether it is allowed to have it's content: robots.txt (which is a mere hint) and authentication handled by the site.

Googlebot doesn't have a cookie to authenticate itself so a proper site will simply tell it to log in or go away when accessing private pages, or simply not show anything marked private on pages that include content with different access levels.

Re:Its not O2, its Google

Google doesn't know what the URL is - that's why these sites
should have authentication and/or robots.txt set up.

And the "reset password" thing should NOT be a simple
link - proper design makes things like that a POST request,
which Google won't index.

I do recall that there have been instances where a badly
designed wiki was flattened by Googlebot (the "delete" links
were simple GETs, and the bot followed all of them...)

Re:Its not O2, its Google

[jamesbarlow]

The reason (if anyone cares to FTA) that they can be googled

Yeah. Fuck that article.

Watch for the fallout

[one2wonder]

This is a SERIOUS breach of privacy. This will hit mainstream media. The fact that I can hit a google link and listen to people voice attachments, look at their photos - that's too public of a mistake. I look forward to watching this unfold.

Re:Watch for the fallout

[LighterShadeOfBlack]

This is a SERIOUS breach of privacy. This will hit mainstream media. The fact that I can hit a google link and listen to people voice attachments, look at their photos - that's too public of a mistake. I look forward to watching this unfold.

Umm... yesterday it hit the TV news that in the last 4 years the MoD has lost ~650 laptops - many containing classified information. It made the mainstream news, I'm sure people are moaning, and there'll probably be an "enquiry" which will take a few months and cost a few million eventually leading to nothing and, as always, nothing will change.

By comparison a few photos and sound-bites is nothing. This will probably be a 1/8th page article on page 32 and that'll be the end of that.

In the UK the prevalence of data collection is so great and the ineptitude of governments and companies is so absolute that this stuff is just commonplace now. Even if this story gets picked up anywhere it'll be overshadowed within days by a bigger data breach fuck-up somewhere else.

Look out, it's a trap!

[Airw0lf]

1. Leak MMS Photos
2. Watch people as they go through the photos
3. Arrest anyone who stumbles upon an underage photo (Someone please think of the children!)
4. ???
5. Profit! (Or at the very least, create a big carnival sideshow about capturing hordes of perverts in the act in order to distract attention from the massive privacy breach.)

Unfortunately no nude pics

[thetoadwarrior]

It's amazing how many people have boring pictures and enjoy sending pictures of their ugly kids.

I think O2 should have the decency to warn people about this but they haven't and I know that because I'm an O2 customer. Thankfully I only use my phone for calls so this doesn't affect me.

Re:Unfortunately no nude pics

Thankfully I only use my phone for calls so this doesn't affect me.

Then you're part of the problem man. Grab a chick and get to work, what are you waiting for?

This is not new for O2.

[Deleriux]

I used to work for O2, not in the technical department.

I found a javascript injection attack on their public facing website that let you log in as anybody. Literally, any user. They eventually fixed the flaw after I reported it, but what their attitude for me finding the flaw was ridiculous.
They felt I had wasted their time by bringing it up. Worse still, they considered disciplining me for "wasting time".

The head of IT security at the time subtley hinted I had wasted their programmers time too.

This kind of situation does not surprise me, the quality of their internal websites security is lackluster (they are regularly being hacked by their own staff!) and have in the past installed untested web applications internally which were not properly tested for security.

People seem to think that the 16 digit hex code is "good enough". I digress. For a international communications company that uses the beauroucratic ITIL method for change control this is not very good as it signifies that this was acceptable when checked through numerous channels.

It would not have been difficult to require a sessionable random variable to match along with the key before allowing this.

Re:This is not new for O2.

[Rob+Kaper]

People seem to think that the 16 digit hex code is "good enough". I digress. For a international communications company that uses the beauroucratic ITIL method for change control this is not very good as it signifies that this was acceptable when checked through numerous channels.

It would not have been difficult to require a sessionable random variable to match along with the key before allowing this.

Agreed, but this is a level of security most businesses can't afford due to scaling issues.

Storage and traffic costs for content delivery networks are much, much lower than for dynamic environments capable of performing authentication at the last step (sending the actual content, not the HTML interface surrounding it).

Re:This is not new for O2.

disagree != digress

Re:This is not new for O2.

You're an idiot. O2 have never been ITIL-like; they are trying though. The 'attack' you mention was not Javascript-based and was reported by a customer to the technical people, not by a staffer. There's a good reason you no longer work for O2...

Crawl

[youthoftoday]

I wonder if the admins will notice wget climb up in the user-agent tables...

Text and phone numbers too

[aembleton]

These MMS messages also show any text and the senders phone number. For example this one has text, several photos and a mobile phone number: http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=4DC8E22F33EFC13C

This should be easy to fix with some authentication, I guess o2 will get onto this soon before the mainstream media catch on.

Re:Text and phone numbers too

[aembleton]

I've just realised that the reason Google had indexed that MMS along with the others is because they've been linked to from other websites. For example the one I pasted above is linked to here http://1000milesdown.blogspot.com/2008/04/day-3-foyers-connell-84-miles.html

I guess, in a way this isn't really a security problem, but more like a 'feature'. It gives you some space to store a message that you can then link to and uses a 16 digit hex key to hide the message through obscurity.

Re:Text and phone numbers too

[Dan541]

http://1000milesdown.blogspot.com/2008/04/day-3-foyers-connell-84-miles.html

The email they got from O2 is on this blog

Don't think O2 is that at fault here

[AC-x]

Given the small number of results here I'd say that those pages were linked from somewhere else (a forum or someones homepage maybe?) which allowed google to index them.

Google's spider isn't magic, it can only find things that are linked to from another public site (given google's don't be evil mantra I doubt they'd start indexing links from emails etc.)

Still O2 should probably add some no index tags as it does give people a way to list all O2's public mms', with probably a broader audience then whoever posted them would like

Re:Don't think O2 is that at fault here

[daviddcawley]

Even if O2 did prevent indexing of these webpages the leak still exists. I'm able to find keys due to a security hole in O2's servers and I'll update the blog with the full details after giving O2 time to respond. Here's an example if you don't believe me: http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=66544E5699B42021 You will NOT find that indexed on Google or any other websearch.

Re:Don't think O2 is that at fault here

[Tony+Hoyle]

O2's site is giving 503 errors now.. either slashdotted or someone at O2 pulled the plug.

Re:Don't think O2 is that at fault here

[maxume]

I believe what you are saying, but that link is equally well explained by you or someone you know being an O2 customer.

Re:Don't think O2 is that at fault here

They just took down the containing page/servlet/whatever. The actual images are still accessible. Hit google cache to see them (google doesn't cache images, just the html) :

http://209.85.215.104/search?q=cache:da2lzIzhTUAJ:mediamessaging.o2.co.uk/mms2legacy/showMessage2.do%3FencMmsId%3D4CFD8D89D9731663+inurl:mms2legacy&hl=en&ct=clnk&cd=21&gl=us

Here's the actual image:

http://139.2.165.14/MacsService/Macs/ContentService/part/2/0/4CFD8D89D9731663.jpg

Re:Don't think O2 is that at fault here

[daviddcawley]

That's a very valid point! However, I'll update the blog next week with details of the incredibly simple way I was able to determine the encMmsId string. I'd like to hear some type of response from O2 first i.e. if they believe there is a problem? If so when do they plan to fix it? What steps will be taken to fix it?

Re:Don't think O2 is that at fault here

Scratch that, the images are secured or disabled now too.

Slashdotted

The O2 site has crumbled under the /. load...

Laws

[ddrichardson]

The sad thing is, that despite there being several laws in place that could be used to punish these companies (Computer Misuse Act, 1990 and the Data Protection Act, 1998 spring to mind) they wont be.

In light of the number of breaches recently (such as the MOD losing restricted USB sticks, the Inland Revenue losing records and even the damn Navy losing recruiting information), I'll wager the government will introduce another new law to deal with this but still, you know not actually do anything about it.

Re:Laws

[Dan541]

What have O2 done wrong?

People should not share their emails with the public.

http://1000milesdown.blogspot.com/2008/04/day-3-foyers-connell-84-miles.html

Cut to the chase..

[ontheroll]

Any direct links to naked chicks photos?

Re:Cut to the chase..

[ColdWetDog]

Any direct links to naked chicks photos?

You're pretty new here, so let me give you a bit of advice: If anyone on Slashdot purports to show you pictures of naked chicks ...

Put your welding goggles on before you hit the link. And for damned sure don't do it at work.

Re:Cut to the chase..

[inject_hotmail.com]

Any direct links to naked chicks photos?

I'm not really sure what the allure is...I mean...go to yahoo.com and search for "naked chicks", and click image search...I bet you'll see quite a few.

Could be it's that you think you're not -supposed- to see these pictures...in which case it's all in your mind...convince yourself that you are not supposed to be looking at naked chicks on websites, and you will get the same thrill.

Anyway, you probably aren't going to find any MMS pics indexed beyond what you see...sorry man. If you start guessing 16-byte hexadecimal strings and get a result...feel free to post 'em! ;)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Gone...

[FriendSite.com]

Nice to see that they've taken it down now though...

Looks like they fixed it

[KingTank]

Darn- I mean, GOOD!

OMG...

[Illbay]

...is my butt really that fat?

Lawsuit?

[mr_lizard13]

Dude, please, we're in the UK. We don't sue people when things like this happen. We moan about it for awhile, form our opinion based on a tabloid newspaper article, then we go and drink tea and forget about it all.

Still failing.. :)

They've removed the html files:
http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=4CFD8D89D9731663
But not the media files:
http://64.233.183.104/search?q=cache:da2lzIzhTUAJ:mediamessaging.o2.co.uk/mms2legacy/showMessage2.do%3FencMmsId%3D4CFD8D89D9731663+inurl:mms2legacy&hl=en&ct=clnk&cd=21

My new ringtone!

There's sound too!

50000 image analysis and results online.

I have downloaded and archived about 50000 images as a sample and will be publishing a statistical analysis and musings on what people use MMS for and why. The results are to be found at crackanything. Some of the analysis is very interesting!

Cache?

[Dan541]

Google cache anybody?

disabled

Looks like there are some dead links. LOL

Sorry, Sprint

O2 is not the only company that made this mistake - there are other providers making MMS content available to the entire Internet: http://www.google.com/search?hl=en&q=inurl:.com/share.do%3Finvite%3D&filter=0

Meet?

[Giant+Electronic+Bra]

Staring at their pictures online isn't quite the same thing as MEETING them... ;)

Verizon's Pix place has a similar issue

[SuBTeK]

Verizon has had a similar issue with pix place for a while. The difference is that you are able to see pictures sent from the internet to a handset rather than internal handset to handset. To see an example of this go to "http://picture.vzw.com/pub/guestComposer/guestCreate.do?mediaType=free" and click on "Upload Media". It will now ask you for an e-mail address, type in "vzwflaw@gmail.com". After that it will bring up a window for you to upload files, click cancel. Now click on the drop down under "Look Inside" and click uploads; you will see a picture I previously uploaded.