It's Not Just O2 Leaking MMS Messages

wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."

Re:robots.txt

[morgan_greywolf]

Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

Even so, is it a wise idea to be thinking of MMS as 'private'? There's no verification of the recipient. What if you accidentally pick the wrong number from cellphone contacts? What if you put the wrong number in your contacts in the first place?

Plus, these things aren't sent using SSL.

Knowing that MMS are sent using an insecure, public network, you should not be thinking of these things as 'private'. Just like the stupid myspace users who think their 'friends only' profiles are private.

Re:O2 Were Leaking Mobile Numbers Too

[ilovegeorgebush]

Just because you believe someone should tell you something privately, doesn't mean they will. People were sending each other pictures of their newborns - in the belief, I'm sure, that it was private - and they were openly exposed by Google's cache because of the stupidity of the O2 developers.

I agree, I'd very much like the applications I use to be effective and simple in use, but not at the cost of privacy or security. I'm willing to bet I'm not alone in this view.

Anyhow, we digress. The fact is: robots.txt is a directive to specific clients - namely thsoe that are automated, a.k.a search engines or bots -- to not index the page. They are NOT a security measure. Far too many automated services ignore robots.txt and index anyway; hence the reason it shouldn't be used to protect personal information like you're suggesting. Furthermore, randomising URIs using GUIDs defeats your whole usability/ease-of-use argument.

Sorry, but you're just plane wrong.

Re:O2 Were Leaking Mobile Numbers Too

[Dan541]

http://pictures.sprintpcs.com/guest/message/reply/compose.do?messageId=001_2359418f2c1d5b75_1&invite=qEArJQ7X55kZn5vz8U50&COMPOSER_OPTION=REPLY

look at this.

Apparently you can reply as someone else.