It's Not Just O2 Leaking MMS Messages

wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."

In the title

[szo]

It should be O2 (Oh 2), not 02 (zero 2)...

robots.txt

[4D6963]

I feel a great disturbance in the Internet, as if millions of webmasters suddenly cried out in terror and suddenly updated their robots.txt file.

Re:robots.txt

[fluch]

Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

Re:robots.txt

[4D6963]

Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

Hey, thanks for ruining the joke, jerk :-(

Re:robots.txt

[fluch]

Ups, sorry. ;-)
But someone just modded my comment as 'insightful'. Someone at O2?

Re:robots.txt

[Atti+K.]

Knowing that MMS are sent using an insecure, public network, you should not be thinking of these things as 'private'. Just like the stupid myspace users who think their 'friends only' profiles are private.

Easy to intercept doesn't mean not private (or public). Are your phone conversations encrypted? Sure they are on the air interface, but not in the operator's core network or on the links between different operators. But I guess you consider the contents of your phone conversations private.

Re:robots.txt

[fbjon]

Credit card numbers and other details are only a small part of privacy. Would you be alright with anyone being able to listen to casual conversations or messages? Would you speak freely, or keep in mind at all times that you're not alone? I like my privacy, thank you very much, and violations of it are violations regardless of actual damages.

O2 Were Leaking Mobile Numbers Too

[ilovegeorgebush]

In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent

This was the same with the O2 MMS leak over the weekend. Google's cache was showing the mobile number from which the MMS originated - highly controversial IMO.

Re:O2 Were Leaking Mobile Numbers Too

[ilovegeorgebush]

Just because you believe someone should tell you something privately, doesn't mean they will. People were sending each other pictures of their newborns - in the belief, I'm sure, that it was private - and they were openly exposed by Google's cache because of the stupidity of the O2 developers.

I agree, I'd very much like the applications I use to be effective and simple in use, but not at the cost of privacy or security. I'm willing to bet I'm not alone in this view.

Anyhow, we digress. The fact is: robots.txt is a directive to specific clients - namely thsoe that are automated, a.k.a search engines or bots -- to not index the page. They are NOT a security measure. Far too many automated services ignore robots.txt and index anyway; hence the reason it shouldn't be used to protect personal information like you're suggesting. Furthermore, randomising URIs using GUIDs defeats your whole usability/ease-of-use argument.

Sorry, but you're just plane wrong.

Re:O2 Were Leaking Mobile Numbers Too

[digitig]

Just because you believe someone should tell you something privately, doesn't mean they will. People were sending each other pictures of their newborns - in the belief, I'm sure, that it was private - and they were openly exposed by Google's cache because of the stupidity of the O2 developers.

In my experience of parents, they will show pictures of their newborns to anybody who doesn't run away fast enough. O2 could have publicised this as a customer feature -- it's the people who hack in to get the pictures who lose out here.

Re:O2 Were Leaking Mobile Numbers Too

[Dan541]

http://pictures.sprintpcs.com/guest/message/reply/compose.do?messageId=001_2359418f2c1d5b75_1&invite=qEArJQ7X55kZn5vz8U50&COMPOSER_OPTION=REPLY

look at this.

Apparently you can reply as someone else.

Re:O2 Were Leaking Mobile Numbers Too

[ilovegeorgebush]

The example you use is when the parents are aware of the sharing and give their consent. This is not the case with the issue at hand.

Nice pictures

[drx]

Most users i looked at seem to send around pictures of houses and cars they are planning to buy. Or maybe the want to sell them. In any case, looks like the US economy is not THAT bad.

Re:Nice pictures

[totally+bogus+dude]

Sorry, but they're actually pictures of houses they're planning to rob, and cars they're planning to steal.

Just did a search and some of them seem to be returning errors now - nothing like getting your problems published on slashdot to motivate people to fix them!

So are these services purely to allow people with MMS-incapable phones to see messages (I remember getting an SMS with a URL to view the message once upon a time with Telstra), or for sharing them?

If it's the former then requiring authentication might be possible, but that'd be a real pain for the latter. Having random, unguessable paths as unique keys is about all you can do without crippling the ability to share them.

Surely if they're relying on having unguessable URLs they wouldn't have any way to retrieve a list of them, so I guess this all stems from people publishing links to (private?) messages on public sites. At least, I hope that's the case.

that's why

[amnezick]

i use e-mail instead

Where do these engineers come from?

[fabs64]

ASF Files containing URL's meant to be auto-followed, large telecoms publishing "private" messages on the public-accessible net.

Neither of these are old enough for the "it was before we knew" excuse, so wtf is going through these guys heads?

Profit!

[wjhoffman1983]

1) Take naked picture of self
2) Send to SO
3) Find on internet
4) Sue
6) PROFIT!

Re:Profit!

[maglor_83]

For all you know, the parent is a sexy bitch with big titties.

In this case, one out of two IS bad.

WTF??

[plazman30]

5 pages of URLs and not a single nude picture! How is that possible??

iPhone users rejoice!

[teshuvah]

At least we know AT&T isn't leaking our MMS messages.

Re:iPhone users rejoice!

[db32]

Of course they aren't. They had to redesign their network for the wiretaps.

Secret URL as a security feature

[flux]

And how do search engines find the pages? Not likely via links, or if they do, what's wrong with that? I believe the most plausible explanation is that the viewers of such pages are using Google Toolbar or a similar tool, which I believe can report (reports all the time?) viewed pages to Google, so it can index then, even if they don't have any inbound links.

The lack of robots.txt is an oversight, though.

But why should a secret URL not be a decent security feature? Especially if they don't have outbound links that could put them into another server's log in the form of the Referer-field of the header. Why is it an advantage that part of the URL is moved to web page credentials? The pages themselves can still be in plain text (or are they SSL-protected?) and any system between the client and the server can see the credentials no matter where they are put. There is the slight difference that a server more commonly logs only the URL, not the password, but that's just another configuration issue and not in my opinion any real security; an attacker could modify the web server produce any kinds of logs he wanted.

I did try, with one such URL, to find its inbound link with Google's linkto-search, but found nothing. This does suggest a tool such as Google Toolbar or manual page entry was used to get the pages in. The low number of images found this way suggests this too.

If the providers had a page that linked to all the MMS images that way, now that would have been a grave mistake. But relying on secret URLs on a plain text medium in any case, is not. The search engines have no magic fairy dust in them to help them find such pages - and they sure aren't brute forcing the web..

Re:Secret URL as a security feature

[IceCreamGuy]

But why should a secret URL not be a decent security feature?

You seem to be a proponent of security through obscurity; please hand over your /. gun and turn in you nerd badge.

Seriously though, when I take a picture on my mobile phone and upload it to my provider's site, I feel like it's understood that someone would need a password to see my media. Hiding a password in a URL isn't an option because of the reason you so clearly outlined with services like Google Toolbar.

Re:Secret URL as a security feature

[flux]

What is username/password if not security via obscurity then? You can brute force them just as easily you can brute force an URL.

How can it be the service provider's fault that the viewer of the media openly sends information on the pages to the world?

And this MMS-hole is as old as MMS is; when MMS-messages weren't supported by all the phones (I suppose that can be the case today too), an SMS with the URL was sent instead. No username/password was associated with the service provider, you had your phone number. And the URL was something you could pass on if you wanted, without distributing your credentials. (I don't know if that's the case today, though, if some providers have added some response features to it; someone's going to pay for those, right?)

And even with Google Toolbar, a robots.txt should fix the issue.

Re:Secret URL as a security feature

[fractalus]

Theoretically speaking, a secret string in a password and a secret string in a URL should be equivalent, since they both require "something you know". The difference is that URLs are not generally treated as secrets, so your browser handles them differently. Your browser automatically records all URLs, but generally ASKS before remembering passwords. Also, your users may not realize URLs with secrets in them should be treated differently; they may pass the URLs around to their friends without realizing they're supposed to be "secret". Finally, it's usually easier to assign individual passwords to users (and thus revoke them when leaked) than to assign individual URLs to users.

So it depends on your use. It's not always a bad thing, and in environments requiring only minimal security it can be "good enough" in exchange for high convenience. Just don't consider it the same as an actual password.

boobies

[Deadplant]

I've got some +1 informatives to hand out here... somebody go find me some pictures of naked ladies!

Stupid to expect privacy from a phone conversation

[SuperKendall]

But I guess you consider the contents of your phone conversations private.

Why? That makes ZERO sense. Anyone with a scanner used to be able to pick up your cell phone conversation, and today since the signal is digital it's a little harder but the same basic premise still applies - NO phone conversation is encrypted unless you do so yourself. Apart even from freely transmitting your conversation to anyone in range who wants to listen, there's the stuff that happens with your voice signal downstream on the way to where it is going....

Any expectation of privacy from a phone conversation is more a reflection of willful ignorance as to how telephone networks work than any actual basis for belief.

Re:Stupid to expect privacy from a phone conversat

[Atti+K.]

As I said:

Easy to intercept doesn't mean not private (or public).

Private, in this sense, means that it's illegal to intercept my communication (except for lawful interception). I could sue anyone who intercepts my phone calls and uses the obtained information in any way and I become aware of it. This applies to phone, SMS/MMS, email, web activity, whatever. (IANAL, but I guess it could also apply to my WLAN at home) Of course I am aware of the fact that these communication channels are insecure, so I use them accordingly. But if anyone has the means to intercept my communication, it does not mean they can legally do it.

Re:Compromised data is not the same as open publis

[SuperKendall]

I am confident the message I send is intended not to be seen by anyone but who I intended to see it.

I am confident the MMS message I might send is meant to be seen by others.

And that is all the difference. You are nitpicking fine details of the possible security weaknesses, while totally missing the big picture.