Slashdot Mirror

← Back to Stories (view on slashdot.org)

It's Not Just O2 Leaking MMS Messages

Posted by timothy on from the feature-not-bug dept.

wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."

3 of 105 comments (clear)

  1. In the title by szo · · Score: 5, Informative

    It should be O2 (Oh 2), not 02 (zero 2)...

    --
    Red Leader Standing By!
  2. O2 Were Leaking Mobile Numbers Too by ilovegeorgebush · · Score: 3, Informative

    In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent

    This was the same with the O2 MMS leak over the weekend. Google's cache was showing the mobile number from which the MMS originated - highly controversial IMO.

    --
    ilovegeorgebush
  3. Re:Secret URL as a security feature by fractalus · · Score: 3, Informative

    Theoretically speaking, a secret string in a password and a secret string in a URL should be equivalent, since they both require "something you know". The difference is that URLs are not generally treated as secrets, so your browser handles them differently. Your browser automatically records all URLs, but generally ASKS before remembering passwords. Also, your users may not realize URLs with secrets in them should be treated differently; they may pass the URLs around to their friends without realizing they're supposed to be "secret". Finally, it's usually easier to assign individual passwords to users (and thus revoke them when leaked) than to assign individual URLs to users.

    So it depends on your use. It's not always a bad thing, and in environments requiring only minimal security it can be "good enough" in exchange for high convenience. Just don't consider it the same as an actual password.

    --
    People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.