Slashdot Mirror

← Back to Stories (view on slashdot.org)

Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos

Posted by Soulskill on from the locking-the-door-without-closing-it dept.

fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? Do you support publishing them if they are not fixed in a reasonable time?

8 of 94 comments (clear)

  1. Careful by phantomfive · · Score: 5, Informative

    Be careful when using this vulnerability......depending on your purpose in using it, you could be literally committing a crime. If you download the images by modifying the URL.......people have gone to jail for that.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Careful by phantomfive · · Score: 5, Informative

      I think you're trolling, but this guy went to jail for running almost the exact same script as is found in the article. This guy didn't even have malicious intent when he modified the URL, and he was still convicted.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Careful by phantomfive · · Score: 2

      That's a really weird request, but the relevant law is the Computer Fraud and Abuse Act, 18 U.S.C. 1030

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Careful by phantomfive · · Score: 2

      That's cool. I'm not under the jurisdiction of USA.

      That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Careful by CaptainDork · · Score: 2

      No.

      The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?"

      There is, and a person doesn't even have to be logged in to view those photos.

      There's nothing illegal about that. The photo at 21470800 has no accompanying narrative that even hints that a person should not be there.

      Most people on /. are familiar with the Computer Fraud and Abuse Act, 18 U.S.C. 1030 and it does not apply here.

      The author applied due diligence and more than enough fair warning. Customers have a right to know and the site consented by omission and failure to act.

      Thanks for playing.

      --
      It little behooves the best of us to comment on the rest of us.
  2. Full Disclosure is the only way... by Midnight_Falcon · · Score: 2
    I've reported serious vulnerabilities to a number of companies in the past. Generally, they acknowledge receipt of the information but do nothing to fix the problem -- e.g. a race condition, a SQL injection vulnerability, etc etc. However, when I've posted information on reddit or other internet forums, the bugs tend to get fixed rather quickly.

    Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.

    Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.

  3. Handled very well ... by CaptainDork · · Score: 4, Insightful

    ... plenty of lead time and followup.

    These issues need to be publicized when the hosting site doesn't give a fuck. Customers have a right to know.

    --
    It little behooves the best of us to comment on the rest of us.
  4. publish by frovingslosh · · Score: 2

    After being arrested, tortured and killed for trying to alert an on-line service to their vulnerability due to poor design, I no long try to contact vendors directly. I now publish the information in great detail to pirate sites, and I have found that this will get the attention of the company much better than trying to alert them quietly.

    --
    I'm an American. I love this country and the freedoms that we used to have.