Results 1 to 4 of 4

MMS messages might under certain circumstances be accessible to the whole wide world -- even ... General Blackberry forum

  1. #1
    gkast1's Avatar
    gkast1 no está en línea Stack level 6
    Join Date
    Sep 2007
    PIN/ID
    244F596F
    Posts
    2,381

    Trigger-happy with MMS?

    Advertisement



    MMS messages might under certain circumstances be accessible to the whole
    wide world -- even subject to Google search!

    Before you indulge in sending, shall we say, private-nature photos to Chosen Ones , have a look at the following:


    [ From http://blog.mailchannels.com/2008/07...er-photos.html ]


    O2 Leaking Customer Photos?


    Mobile Network Operators have been providing SMS text messaging capabilities for years but it's only recently that MMS (Multimedia Messaging Service) enabled cell phones have become more popular. It allows an owner of the phone to take a photo and immediately send it to another MMS enabled cellphone. So what happens if a MMS enabled phone sends an e-mail to a non-MMS phone? Well, the mobile operators have thought of that and can host the images on their website and notify the user by text message or e-mail that a new photo is available to view.

    You may assume that if you use this service to send a photo to a friend that your photo is protected and not broadcast for the entire world to see. Unfortunately, this may not be the case if there isn't proper authentication, such as username and password login, to the mobile network operators website that's hosting the images and here's an example of that case.

    Earlier today, we received an e-mail from O2 that was sent to an incorrect recipient. It's quite likely that an e-mail address was entered incorrectly by the person setting up the account. I was surprised that we were able to view the image without having to login to the website but figured a strict combination of a unique user id number and unique image id would be required making it incredibly difficult to guess. After all, it wouldn't be possible to access these images without receiving a misaddressed e-mail, right? Wrong!

    I looked at the URL in the e-mail and found the only requirement was a 16 digit hex number. It would be quite easy to write a script to try various combinations of 16 hex digits to try and randomly view a photo but depending on how many photos are being hosted the hit rate could be quite low. Then it struck me that these web pages were wide open to the internet, not requiring any authentication and at least a handful would be quite likely indexed by Google. Sure enough, I was able to craft a Google search that results in some matches to show an example of how this is an insecure method of hosting:


    http://www.google.com/search?hl=en&q=inurl:mms2legacy&start=20&sa=N&filt er=0


    Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to "Protect Our Children", well a good first step would be to avoid leaking customer photos.

    Update: Someone posted this story to the O2 Customer Forum website but the thread has mysteriously disappeared. Hmmm....I wonder why? The thread discussing this in the forum was here but now simply returns "The topic or post you requested does not exist" webpage. Google did manage to grab it....

  2. #2
    gkast1's Avatar
    gkast1 no está en línea Stack level 6
    Join Date
    Sep 2007
    PIN/ID
    244F596F
    Posts
    2,381
    Update: I tried the suggested search and did come up with personal photos (fortunately, not NSFW). The second time I tried it I got fewer hits. I should
    hope O2 is busy fixing this up... but the issue of course is broader.

  3. #3
    ssnxp's Avatar
    ssnxp no está en línea Device Pro
    Join Date
    Jul 2007
    Posts
    1,679
    That's kind of scary. Good thing we have secure emails..

    But seriously, lock your phones. Delete or move "sensitive" materials off of your phones. Some one I know found a phone the other day, and you'd be surprised what they saw in it..

  4. #4
    jonnyxedge's Avatar
    jonnyxedge no está en línea Stack Professional
    Join Date
    Nov 2006
    PIN/ID
    28A4ED28
    Posts
    3,945
    i work in the mobile industry and sometimes when you open the phone and see their wallpaper ror their screen saver comes up....wow

    i'm to the point that i usually ask if their are any surprises
    The BlackBerry Guru

    [x] My Minds Eye - Life Behind The Lens Of A BlackBerry
    [x] Pinstack Blog
    [x] Twitter

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •