Yesterday's InformationWeek had an article about how cellphone pictures sent via MMS (Multimedia Messaging Service) by customers of U.K. mobile network Operator O2 are winding up available via Google search pages. The article, titled Picture Leak: O2's Security Through Obscurity Can't Stop Google, explains that O2 provides a fallback for customers who try to send photos from their cellphone to cellphones that don't support MMS, namely they post the photos online and then send the recipient a URL to the picture via email. For security, each URL includes a 16-hex-digit (64-bit) hex digit message ID. The "problem", as they breathlessly explain it, is that some of these URLs are getting indexed by Google, and can be discovered by performing a search with the inurl: search type.
The whole thing is much ado about nothing — further investigation shows that the reason a handful of these "secret" URLs wound up in Google is that people were using MMS to post photos directly to their public photo-blogs. While it's not the case here, I do have to wonder at the charge that secret URLs are somehow just security through obscurity, which usually refers to a system that is secure only as long as its design or implementation details remain secret. That's not the case here — even a modest 16-hex-digit ID is about as difficult to guess as a random ten-character password containing numbers and upper & lowercase letters. What can be a risk is that people and programs are used to URLs being public knowledge, and so sometimes they aren't safeguarded as well as one might safeguard, say, his bankcard PIN number. On the plus side, unguessable URLs can easily be made public when it's appropriate, for example when posting to your photo blog from your O2 cellphone. Now if only we could selectively prevent clueless reporters trying to write scare-stories from finding them...
Posted by bug to Security at July 22, 2008 10:31 AM | TrackBackThe full details of the vulnerability was not disclosed while the MMS servers were still online. The MMS messages were accessible as the URLs were publicly available in the Tomcat Status page. As access to the URLs didn't require a login and appeared on a page anyone could access from the internet it represented a serious information disclosure.
http://blog.mailchannels.com/2008/07/update-o2-leaking-customer-photos.html
The full details of the vulnerability was not disclosed while the MMS servers were still online. The MMS messages were accessible as the URLs were publicly available in the Tomcat Status page. As access to the URLs didn't require a login and appeared on a page anyone could access from the internet it represented a serious information disclosure. This details are explained on the mailchannels blog.
O2 MMS messages were available to view since they failed to secure the JBoss/Tomcat Status page. This wasn't disclosed at the time as the media server was live and still vulnerable. You can read the full details on the mailchannels blog if you wish. Sorry if I've submitted multiple comments but they weren't published, perhaps they're waiting your approval?
Posted by: David at July 22, 2008 5:22 PM