Slashdot Mirror
It's Not Just O2 Leaking MMS Messages
wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."
It should be O2 (Oh 2), not 02 (zero 2)...
Red Leader Standing By!
I feel a great disturbance in the Internet, as if millions of webmasters suddenly cried out in terror and suddenly updated their robots.txt file.
You just got troll'd!
This was the same with the O2 MMS leak over the weekend. Google's cache was showing the mobile number from which the MMS originated - highly controversial IMO.
ilovegeorgebush
Most users i looked at seem to send around pictures of houses and cars they are planning to buy. Or maybe the want to sell them. In any case, looks like the US economy is not THAT bad.
i use e-mail instead
mov ax,4c00h
int 21h
ASF Files containing URL's meant to be auto-followed, large telecoms publishing "private" messages on the public-accessible net.
Neither of these are old enough for the "it was before we knew" excuse, so wtf is going through these guys heads?
1) Take naked picture of self
2) Send to SO
3) Find on internet
4) Sue
6) PROFIT!
5 pages of URLs and not a single nude picture! How is that possible??
At least we know AT&T isn't leaking our MMS messages.
naughty Naughty! Google, you bad bot.
And how do search engines find the pages? Not likely via links, or if they do, what's wrong with that? I believe the most plausible explanation is that the viewers of such pages are using Google Toolbar or a similar tool, which I believe can report (reports all the time?) viewed pages to Google, so it can index then, even if they don't have any inbound links.
The lack of robots.txt is an oversight, though.
But why should a secret URL not be a decent security feature? Especially if they don't have outbound links that could put them into another server's log in the form of the Referer-field of the header. Why is it an advantage that part of the URL is moved to web page credentials? The pages themselves can still be in plain text (or are they SSL-protected?) and any system between the client and the server can see the credentials no matter where they are put. There is the slight difference that a server more commonly logs only the URL, not the password, but that's just another configuration issue and not in my opinion any real security; an attacker could modify the web server produce any kinds of logs he wanted.
I did try, with one such URL, to find its inbound link with Google's linkto-search, but found nothing. This does suggest a tool such as Google Toolbar or manual page entry was used to get the pages in. The low number of images found this way suggests this too.
If the providers had a page that linked to all the MMS images that way, now that would have been a grave mistake. But relying on secret URLs on a plain text medium in any case, is not. The search engines have no magic fairy dust in them to help them find such pages - and they sure aren't brute forcing the web..
Oh my god, google leaked private picasa photo albums : http://www.google.com/search?q=picasaweb.google.lt+inurl:authkey&hl=en&filter=0
I've got some +1 informatives to hand out here... somebody go find me some pictures of naked ladies!
I don't think they'll be any nudity in the forseeable future either for these two:
http://pictures.sprintpcs.com/share.do?invite=UEPrJG8VhP5EX5Oah7Ex&shareName=FORWARD
This is where you really want to use http://www.piclens.com/
This is the Firefox plugin for Windows - but there's a Mac OS X version that works with Safari, too.
Any Linux suggestions?
"Flyin' in just a sweet place,
Never been known to fail..."
I don't have MMS on my Sprint plan, but people sometimes send me them. When that happens, I just get a link I put in my browser.
I was always a little disheartened that I didn't have to authenticate myself
But I guess you consider the contents of your phone conversations private.
Why? That makes ZERO sense. Anyone with a scanner used to be able to pick up your cell phone conversation, and today since the signal is digital it's a little harder but the same basic premise still applies - NO phone conversation is encrypted unless you do so yourself. Apart even from freely transmitting your conversation to anyone in range who wants to listen, there's the stuff that happens with your voice signal downstream on the way to where it is going....
Any expectation of privacy from a phone conversation is more a reflection of willful ignorance as to how telephone networks work than any actual basis for belief.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Fortunately, you're also able to reply straight from the Sprint web interface. Let the customers know that Sprint is leaking pictures this way.
Let it get media attention!
You can even get the full resolution pictures by editing the URL for the photos: http://pictures.sprintpcs.com/mmps/IDENTIFIER_GOES_HERE/2.jpg?partExt=.jpg&&&outquality=100&ext=.jpg&&limitsize=8000,8000&squareoutput=255,255,255
If the original is smaller than 8000x8000, you'll get the picture in the original resolution, otherwise it'll downscale it.
A proud member of the Onion-in-Hand alliance
Just using e-mail would be great if everyone had e-mail account,
The last few plumbers I used all did.
Yesterday I sent MMS to a plumber
And how many plumbers have MMS phones? Why is THAT expectation more rational than email?
Funny thing is, the web based mms stupid idea was just about to disappear... It was designed for times that everyone didn't have MMS enabled phones... Now iPhone shipped without MMS!
And you expect that to not hasten the demise of SMS how again?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
People - MMS messages are simply open, and that's all there is to it. You cannot expect people to authenticate to view them, as the best you could hope for is some wonky one-time password sent along with the message there was an MMS they could look at, and which users would not stand for. You have to let them be viewed on the web because a number of phones (not just the iPhone) do not support MMS or even images. Since all you have is a number you are sending it to you don't necessarily have a good email address you can send it to instead of a link.
Meanwhile I can always send users a picture by email with confidence that picture is not anywhere on the web.
NOW you are all starting to understand just why MMS is such a dinosaur and simply must die. Do not help prop up this privacy lich king by demanding it be supported on the iPhone, instead kick it while it's down and demand from other vendors MMS be removed from all new phones.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Easy to intercept doesn't mean not private (or public).
Private, in this sense, means that it's illegal to intercept my communication (except for lawful interception). I could sue anyone who intercepts my phone calls and uses the obtained information in any way and I become aware of it. This applies to phone, SMS/MMS, email, web activity, whatever. (IANAL, but I guess it could also apply to my WLAN at home) Of course I am aware of the fact that these communication channels are insecure, so I use them accordingly. But if anyone has the means to intercept my communication, it does not mean they can legally do it.
.sig: No such file or directory
Private, in this sense, means that it's illegal to intercept my communication (except for lawful interception).
That is, simply put, the most bullshit explanation of "expectation of privacy" I have ever heard. It is simply astounding to think that just because something is technically illegal to do, it will not be done and you can rely on it in any way to protect you - it's as foolhardy a measure as the record studios relying on DRM to stop media from being pirated, because it would be illegal to bypass!
The funny thing is, your definition of privacy is really an attempt to stop a single party (the government) from listening in on your conversation, when they are in fact the least likely to ever pay attention to anything you ever do. There is no difference between such a law and an innate sense of ethics in anyone else who might want to or have the capability to listen in.
If anyone on earth can and will listen to your conversations and view your MMS messages by design, then expecting privacy in any sense of the word is simply absurd. You do not design an inherently insecure system and then ever place a tag on it that says it's now secure by virtue of you saying it should be. That, again, is a totally unreasonable expectation, and MMS just illustrates all the more clearly why that concept breaks down when you can view anyone else's MMS messages and then expect them to be able to do anything about it at all. Sorry, that's how it works!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The only thing these links lead to are pictures taken and either "uploaded to your online photo album" with the carrier, or pictures emailed to your phone. You are looking at the INBOX or PHOTO ALBUM.
These are *NOT* leaks of the actual MMS messages themselves. They are only ones people DECIDED to upload to their account or had emailed. That's it. There may be some phone to phone MMS listed in certain situations, like with Nextel for example. My friends phone couldn't handle pictures, so when I'd send him an MMS it would instead land in his online inbox at nextel/spring, and he'd receive a text to go to a certain URL to see it. Those are the only phone-to-phone (HA! P2P! Eat that **AA) transfers you'll find in those search results.
A typical slashdot article not fulling researching or understanding what's going on, and blowing this out of proportion. Granted this is a security/privacy breach, but just a typical some web programmer doesn't know what they're doing, not that the cell network has a huge flaw
Oh you joker!
Compromised systems where you store data is a totally different issue than designing a system where anything you transmit is put up for the world to see. One is a bug, one is by design...
Generally my statement holds true - at any given moment I may send an email with confidence there is not a link the general public may use to view it easily, which will never ever be the case with MMS - because that's just how it works.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
http://blog.mailchannels.com/2008/07/update-o2-leaking-customer-photos.html
Now that O2's MMS servers are offline, it's safe for us to announce a more serious vulnerability that permitted the easy discovery of thousands of truly private MMS messages including videos. See the blog link for more details.
Regarding the MMS bug
That's my whole point, there is no bug. The fact people can see these messages? Not a bug, it's a FEATURE in how MMS works. An irreplaceable, non-changeable feature. This is not a bug that can be "fixed" as it's a part of how MMS works for people today. People WANT the people they send images to be able to see them - public web links are how modern MMS makes that happen. A side effect is that anyone can see them. A few links originally posted non-viewable now? Not a permanent change, not at all.
Viewing MMS messages in the open is by DESIGN. You cannot change it without totally breaking MMS for hundreds of millions of users.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I wasn't joking, and you're wrong.
You can be 100% certain that your MMS message is open to the world to see, sure. But you can never be 100% certain that your e-mail message is not visible to the general public unless you encrypt it, because you have no control over the transmission or the receiving server.
If you are confident that the unencrypted e-mail you send is only visible to the intended recipient, you are (and there's no nice way to say this) a fool.
Google Toolbar does not lead Googlebot into indexing pages.
Read the full post.
I am confident the message I send is intended not to be seen by anyone but who I intended to see it.
I am confident the MMS message I might send is meant to be seen by others.
And that is all the difference. You are nitpicking fine details of the possible security weaknesses, while totally missing the big picture.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
They were getting the message
We're sorry... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.
along with being asked to fill out a CAPTCHA each. Thy were suspicious of filling it out, didn't know what to do and called the help desk!
Well, that's really not correct.
Conversations on GSM cell phone networks are encrypted from phone to tower, albeit with a craptastic and weak encryption algorithm. If the designers of the GSM system had done their work better and/or not bowed to pressure to intentionally weaken the algorithm, we could have had great encryption for the majority of the cell phone usage in the world today.
Of course this only protects from phone to tower, and it's a weak protection against sufficiently determined attackers, but for most private people's purposes it's probably 'well enough'.
To my mind weak encryption like that is basically no encryption. Anyone going to the trouble of building a scanner is going to work around that, I don't think the barrier is all that much higher than it was when you had to get a scanner at all to receive cell phone frequencies before.
While you're right they could have made the segment to the tower decently protected, they did not do so and thus I still maintain any thought of privacy over such a line makes no sense.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
To my mind weak encryption like that is basically no encryption.
While you're right they could have made the segment to the tower decently protected, they did not do so and thus I still maintain any thought of privacy over such a line makes no sense.
GSM was designed in the 80s. Did we have back then the technology powerful enough to do strong crypto in the handsets and still not drain the battery in 5 minutes?
Hell no!
GSM wasn't even expenced to be around so long. Want a more secure radio interface? Use 3G or CDMA.
.sig: No such file or directory
Private != secure most of the time. Sad but true.
.sig: No such file or directory
You seem to be a proponent of security through obscurity; please hand over your /. gun and turn in you nerd badge.
But if he puts his hand over his slashdot gun in the presence of mobile photos, it's likely to go off! You're putting the whole community in danger!
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin