Slashdot Mirror

← Back to Stories (view on slashdot.org)

It's Not Just O2 Leaking MMS Messages

Posted by timothy on from the feature-not-bug dept.

wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."

7 of 105 comments (clear)

  1. In the title by szo · · Score: 5, Informative

    It should be O2 (Oh 2), not 02 (zero 2)...

    --
    Red Leader Standing By!
  2. robots.txt by 4D6963 · · Score: 4, Funny

    I feel a great disturbance in the Internet, as if millions of webmasters suddenly cried out in terror and suddenly updated their robots.txt file.

    --
    You just got troll'd!
    1. Re:robots.txt by fluch · · Score: 5, Insightful

      Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

    2. Re:robots.txt by 4D6963 · · Score: 5, Funny

      Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

      Hey, thanks for ruining the joke, jerk :-(

      --
      You just got troll'd!
  3. Profit! by wjhoffman1983 · · Score: 5, Funny

    1) Take naked picture of self
    2) Send to SO
    3) Find on internet
    4) Sue
    6) PROFIT!

    1. Re:Profit! by maglor_83 · · Score: 4, Funny

      For all you know, the parent is a sexy bitch with big titties.

      In this case, one out of two IS bad.

  4. Secret URL as a security feature by flux · · Score: 5, Insightful

    And how do search engines find the pages? Not likely via links, or if they do, what's wrong with that? I believe the most plausible explanation is that the viewers of such pages are using Google Toolbar or a similar tool, which I believe can report (reports all the time?) viewed pages to Google, so it can index then, even if they don't have any inbound links.

    The lack of robots.txt is an oversight, though.

    But why should a secret URL not be a decent security feature? Especially if they don't have outbound links that could put them into another server's log in the form of the Referer-field of the header. Why is it an advantage that part of the URL is moved to web page credentials? The pages themselves can still be in plain text (or are they SSL-protected?) and any system between the client and the server can see the credentials no matter where they are put. There is the slight difference that a server more commonly logs only the URL, not the password, but that's just another configuration issue and not in my opinion any real security; an attacker could modify the web server produce any kinds of logs he wanted.

    I did try, with one such URL, to find its inbound link with Google's linkto-search, but found nothing. This does suggest a tool such as Google Toolbar or manual page entry was used to get the pages in. The low number of images found this way suggests this too.

    If the providers had a page that linked to all the MMS images that way, now that would have been a grave mistake. But relying on secret URLs on a plain text medium in any case, is not. The search engines have no magic fairy dust in them to help them find such pages - and they sure aren't brute forcing the web..