That's a very valid point! However, I'll update the blog next week with details of the incredibly simple way I was able to determine the encMmsId string. I'd like to hear some type of response from O2 first i.e. if they believe there is a problem? If so when do they plan to fix it? What steps will be taken to fix it?
Even if O2 did prevent indexing of these webpages the leak still exists. I'm able to find keys due to a security hole in O2's servers and I'll update the blog with the full details after giving O2 time to respond.
Here's an example if you don't believe me:
http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=66544E5699B42021
You will NOT find that indexed on Google or any other websearch.
I'm the author of the post. It's true that there are 10^19 combinations if the 64-bit "keys" are secure and generated with a good PRNG.
As I'm able to access the "keys" (without using any type of web based search) directly from O2 due to a security hole, it entirely circumvents the URL based authentication. I don't even need to guess any keys!
I will update the blog next week with details of the full attack but I'd like to give O2 some time to fix this.
Slashdot Mirror
That's a very valid point! However, I'll update the blog next week with details of the incredibly simple way I was able to determine the encMmsId string. I'd like to hear some type of response from O2 first i.e. if they believe there is a problem? If so when do they plan to fix it? What steps will be taken to fix it?
Even if O2 did prevent indexing of these webpages the leak still exists. I'm able to find keys due to a security hole in O2's servers and I'll update the blog with the full details after giving O2 time to respond. Here's an example if you don't believe me: http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=66544E5699B42021 You will NOT find that indexed on Google or any other websearch.
I'm the author of the post. It's true that there are 10^19 combinations if the 64-bit "keys" are secure and generated with a good PRNG. As I'm able to access the "keys" (without using any type of web based search) directly from O2 due to a security hole, it entirely circumvents the URL based authentication. I don't even need to guess any keys! I will update the blog next week with details of the full attack but I'd like to give O2 some time to fix this.