Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy

It's Not Just O2 Leaking MMS Messages 105

wiedzmin writes "A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."
This discussion has been archived. No new comments can be posted.

It's Not Just O2 Leaking MMS Messages

Comments Filter:
  • In the title (Score:5, Informative)

    by szo ( 7842 ) on Monday July 21, 2008 @06:22AM (#24271673)

    It should be O2 (Oh 2), not 02 (zero 2)...

    • Re: (Score:1, Funny)

      by Anonymous Coward

      It should be O2 (Oh 2), not 02 (zero 2)...

      Yeah, that made me say "oh" too.

  • robots.txt (Score:5, Funny)

    by 4D6963 ( 933028 ) on Monday July 21, 2008 @06:23AM (#24271687)
    I feel a great disturbance in the Internet, as if millions of webmasters suddenly cried out in terror and suddenly updated their robots.txt file.
    • Re:robots.txt (Score:5, Insightful)

      by fluch ( 126140 ) on Monday July 21, 2008 @06:28AM (#24271717)

      Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

      • by 4D6963 ( 933028 ) on Monday July 21, 2008 @06:32AM (#24271753)

        Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

        Hey, thanks for ruining the joke, jerk :-(

      • Re: (Score:1, Interesting)

        Updating the robots.txt is not a security measure. The web servers should never reveal the MMS without authentication in the first place.

        Even so, is it a wise idea to be thinking of MMS as 'private'? There's no verification of the recipient. What if you accidentally pick the wrong number from cellphone contacts? What if you put the wrong number in your contacts in the first place?

        Plus, these things aren't sent using SSL.

        Knowing that MMS are sent using an insecure, public network, you should not be thinking of these things as 'private'. Just like the stupid myspace users who think their 'friends only' profiles are private.

        • Re:robots.txt (Score:4, Insightful)

          by Atti K. ( 1169503 ) on Monday July 21, 2008 @07:31AM (#24272135)

          Knowing that MMS are sent using an insecure, public network, you should not be thinking of these things as 'private'. Just like the stupid myspace users who think their 'friends only' profiles are private.

          Easy to intercept doesn't mean not private (or public). Are your phone conversations encrypted? Sure they are on the air interface, but not in the operator's core network or on the links between different operators. But I guess you consider the contents of your phone conversations private.

          • I don't talk about anything very private on an unsecure line. E.g., I refuse to disclose my social security number and other private data over the phone.

            • Re: (Score:3, Insightful)

              by fbjon ( 692006 )
              Credit card numbers and other details are only a small part of privacy. Would you be alright with anyone being able to listen to casual conversations or messages? Would you speak freely, or keep in mind at all times that you're not alone? I like my privacy, thank you very much, and violations of it are violations regardless of actual damages.
          • But I guess you consider the contents of your phone conversations private.

            Why? That makes ZERO sense. Anyone with a scanner used to be able to pick up your cell phone conversation, and today since the signal is digital it's a little harder but the same basic premise still applies - NO phone conversation is encrypted unless you do so yourself. Apart even from freely transmitting your conversation to anyone in range who wants to listen, there's the stuff that happens with your voice signal downstream on th

            • Re: (Score:3, Insightful)

              by Atti K. ( 1169503 )
              As I said:

              Easy to intercept doesn't mean not private (or public).

              Private, in this sense, means that it's illegal to intercept my communication (except for lawful interception). I could sue anyone who intercepts my phone calls and uses the obtained information in any way and I become aware of it. This applies to phone, SMS/MMS, email, web activity, whatever. (IANAL, but I guess it could also apply to my WLAN at home) Of course I am aware of the fact that these communication channels are insecure, so I use them accordingly. But if anyone has the means to intercep

              • Private, in this sense, means that it's illegal to intercept my communication (except for lawful interception).

                That is, simply put, the most bullshit explanation of "expectation of privacy" I have ever heard. It is simply astounding to think that just because something is technically illegal to do, it will not be done and you can rely on it in any way to protect you - it's as foolhardy a measure as the record studios relying on DRM to stop media from being pirated, because it would be illegal to bypass!

                The

                • The funny thing is, your definition of privacy is really an attempt to stop a single party (the government) from listening in on your conversation, when they are in fact the least likely to ever pay attention to anything you ever do.

                  In fact, my "definition" of privacy was an attempt to stop everyone else except that single party (I would call it law enforcement) from listening on to my conversations. Because, whether we like it or not, they can do it, if they have a good enough reason (=warrant). Any operator is required to implement lawful interception to get a license. But you're right, they are the least interested in my bullshit, until I don't break the law. So whatever, like I said, treat these channels as insecure, and you are le

                  • Regarding the MMS bug

                    That's my whole point, there is no bug. The fact people can see these messages? Not a bug, it's a FEATURE in how MMS works. An irreplaceable, non-changeable feature. This is not a bug that can be "fixed" as it's a part of how MMS works for people today. People WANT the people they send images to be able to see them - public web links are how modern MMS makes that happen. A side effect is that anyone can see them. A few links originally posted non-viewable now? Not a permanent ch

            • by pheede ( 37918 )

              Well, that's really not correct.

              Conversations on GSM cell phone networks are encrypted from phone to tower, albeit with a craptastic and weak encryption algorithm [wikipedia.org]. If the designers of the GSM system had done their work better and/or not bowed to pressure to intentionally weaken the algorithm, we could have had great encryption for the majority of the cell phone usage in the world today.

              Of course this only protects from phone to tower, and it's a weak protection against sufficiently determined attackers, but

              • To my mind weak encryption like that is basically no encryption. Anyone going to the trouble of building a scanner is going to work around that, I don't think the barrier is all that much higher than it was when you had to get a scanner at all to receive cell phone frequencies before.

                While you're right they could have made the segment to the tower decently protected, they did not do so and thus I still maintain any thought of privacy over such a line makes no sense.

                • To my mind weak encryption like that is basically no encryption.

                  While you're right they could have made the segment to the tower decently protected, they did not do so and thus I still maintain any thought of privacy over such a line makes no sense.

                  GSM was designed in the 80s. Did we have back then the technology powerful enough to do strong crypto in the handsets and still not drain the battery in 5 minutes?

                  Hell no!

                  GSM wasn't even expenced to be around so long. Want a more secure radio interface? Use 3G or CDMA.

  • by ilovegeorgebush ( 923173 ) * on Monday July 21, 2008 @06:28AM (#24271725) Homepage

    In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent

    This was the same with the O2 MMS leak over the weekend. Google's cache was showing the mobile number from which the MMS originated - highly controversial IMO.

    • by tgd ( 2822 )

      Why is it controversial? Because they were leaking it or because its there?

      If I have to look at a web page to view an MMS, I'd expect the phone number to be there. It would be if it was on my phone!

      Personally I'd rather them use a robots.txt appropriately and keep the URLs randomized with an appropriate GUID but stop doing any authentication. The iPhone's lack of MMS, for example, would be dramatically less of a big deal if they would text me a damn URL to go straight to it rather than texting me a login pa

      • My comment regarding the controversies is that Google's cache still had the info, even after O2 had moved the URIs. Furthermore, it was a grave oversight to allow them to be indexed in the first place.

        Personally I'd rather them use a robots.txt appropriately and keep the URLs randomized with an appropriate GUID but stop doing any authentication. The iPhone's lack of MMS, for example, would be dramatically less of a big deal if they would text me a damn URL to go straight to it rather than texting me a login

        • by tgd ( 2822 )

          That's because you value your laziness more than your privacy.

          No, its because I know if someone wants to tell me something privately, they better say it to my face. Do you think there's any privacy in anything you do over a cell phone? The only privacy you have is because no one gives a shit about you and what you're doing, not because of anything inherent in the technology.

          So if you want to term "being able to effectively use" as being "lazy", that's your prerogative, I suppose, but you may want to loosen the tinfoil.

          • by ilovegeorgebush ( 923173 ) * on Monday July 21, 2008 @08:21AM (#24272709) Homepage
            Just because you believe someone should tell you something privately, doesn't mean they will. People were sending each other pictures of their newborns - in the belief, I'm sure, that it was private - and they were openly exposed by Google's cache because of the stupidity of the O2 developers.

            I agree, I'd very much like the applications I use to be effective and simple in use, but not at the cost of privacy or security. I'm willing to bet I'm not alone in this view.

            Anyhow, we digress. The fact is: robots.txt is a directive to specific clients - namely thsoe that are automated, a.k.a search engines or bots -- to not index the page. They are NOT a security measure. Far too many automated services ignore robots.txt and index anyway; hence the reason it shouldn't be used to protect personal information like you're suggesting. Furthermore, randomising URIs using GUIDs defeats your whole usability/ease-of-use argument.

            Sorry, but you're just plane wrong.
            • Re: (Score:3, Insightful)

              by digitig ( 1056110 )

              Just because you believe someone should tell you something privately, doesn't mean they will. People were sending each other pictures of their newborns - in the belief, I'm sure, that it was private - and they were openly exposed by Google's cache because of the stupidity of the O2 developers.

              In my experience of parents, they will show pictures of their newborns to anybody who doesn't run away fast enough. O2 could have publicised this as a customer feature -- it's the people who hack in to get the pictures who lose out here.

              • Re: (Score:3, Insightful)

                The example you use is when the parents are aware of the sharing and give their consent. This is not the case with the issue at hand.
          • by fbjon ( 692006 )
            You give only two options, a) that nobody gives a shit so there's no privacy loss, and b) if it's important, you wouldn't use phone lines in the first place. But that's not quite the situation. Here we have a medium that's supposed to be private (as in not public) by law, and suddenly hordes of people can browse in at their leisure, whether they give a shit or not. That's bad in my books.
      • The iPhone's lack of MMS... ...rather than texting me a login page with a "username" and "password" to login with that I can't cut and paste.

        That's because you value your laziness more than your privacy.

        The iPhone can cut and paste now?

        • Oops! It started with me almost quoting and replying to the wrong post and ended with me not trimming the quote properly, which I then cut and pasted into a reply to the CORRECT post.

          I guess you all know what I value most, now. :)

          • But did you do the cut/paste thing with your iPhone?

            • No. I don't own an iPhone. I won't own an iPhone until it can cut and paste (and not require severe hacking to be usable). Even if I did own an iPhone, I couldn't have done the cut/paste with it; the iPhone still can't cut and paste.

              But it does blend.

  • by drx ( 123393 ) on Monday July 21, 2008 @06:30AM (#24271731) Homepage

    Most users i looked at seem to send around pictures of houses and cars they are planning to buy. Or maybe the want to sell them. In any case, looks like the US economy is not THAT bad.

    • Re: (Score:3, Insightful)

      Sorry, but they're actually pictures of houses they're planning to rob, and cars they're planning to steal.

      Just did a search and some of them seem to be returning errors now - nothing like getting your problems published on slashdot to motivate people to fix them!

      So are these services purely to allow people with MMS-incapable phones to see messages (I remember getting an SMS with a URL to view the message once upon a time with Telstra), or for sharing them?

      If it's the former then requiring authentication mi

      • I used to have URLs sent to me when I couldn't send/receive MMS. It's purely for viewing them, not to share - they'd rather you forwarded the MMS and spent money.
      • by Dan541 ( 1032000 )

        If it's the former then requiring authentication might be possible, but that'd be a real pain for the latter. Having random, unguessable paths as unique keys is about all you can do without crippling the ability to share them.

        I'd rather recive pictures via email than use link to someone else's server.

      • Just did a search and some of them seem to be returning errors now - nothing like getting your problems published on slashdot to motivate people to fix them!

        Not only some of them - in sprint's case it now appears to be all of them: From Sprint [sprintpcs.com]:

        The site is temporarily unavailable due to routine maintenance and enhancements. We apologize for the inconvenience. Please come back soon!

        Looks like the voyeur in all of us (come on, admit it) will have to search for other freely available, published invasions of privacy.

    • by Curtman ( 556920 )

      looks like the US economy is not THAT bad.

      No, the foreclosures are just happening THAT fast.

      • by drx ( 123393 )

        Too bad "maintainance" has kicked in. Okay people, where is the link to the page with all the pictures downloaded by a Perl script you wrote??

  • that's why (Score:2, Funny)

    by amnezick ( 1253408 )
    i use e-mail instead
    • by Ilgaz ( 86384 )

      What about getting service from a non idiotic company who knows how web works? That is another solution :)

      Just using e-mail would be great if everyone had e-mail account, they have configured their phone and they get service from a company doesn't rob them for every single KB of data coming to device.

      Yesterday I sent MMS to a plumber I know to give a clue about the "disaster" so he could get right tools. Now, that guy will have a perfectly setup IMAP mail account, I will know that mail, I will leak my mail

      • What about getting service from a non idiotic company who knows how web works? That is another solution :)

        Ideally, that would be a solution. In reality...

      • Just using e-mail would be great if everyone had e-mail account,

        The last few plumbers I used all did.

        Yesterday I sent MMS to a plumber

        And how many plumbers have MMS phones? Why is THAT expectation more rational than email?

        Funny thing is, the web based mms stupid idea was just about to disappear... It was designed for times that everyone didn't have MMS enabled phones... Now iPhone shipped without MMS!

        And you expect that to not hasten the demise of SMS how again?

        • by Ilgaz ( 86384 )

          "and how many plumbers have MMS phones? Why is THAT expectation more rational than email?"

          that is my point. I just know he had a colour screen phone and with my provider, everyone gets MMS configuration automatically, I know he will be able to receive it. I got his number, there is a thing called "MMS standard", I send him a basic graphic that _I_ pay to send without causing inconvenience.

          It is really absurd to defend a standard like MMS. It is _minimum_ standard, it is convenient, designed by Telcos and GS

  • by fabs64 ( 657132 ) <beaufabry+slashdot,org&gmail,com> on Monday July 21, 2008 @06:49AM (#24271863)
    ASF Files containing URL's meant to be auto-followed, large telecoms publishing "private" messages on the public-accessible net.

    Neither of these are old enough for the "it was before we knew" excuse, so wtf is going through these guys heads?
    • If other companies are anything like where I work, it's probably a case of the IT guys knowing "just enough." A lot of our sys admins know enough to manage a windows/linux/solaris server, but they don't know enough to do it 100% correctly. They don't have any formal training, just years and years of experiencing learning different things. The problem is that they didn't have a strong core to build upon.

      Or take our software engineers (no really, please do), who know enough to write code that works, but don

  • Profit! (Score:5, Funny)

    by wjhoffman1983 ( 1145155 ) on Monday July 21, 2008 @07:00AM (#24271929)

    1) Take naked picture of self
    2) Send to SO
    3) Find on internet
    4) Sue
    6) PROFIT!

  • WTF?? (Score:4, Funny)

    by plazman30 ( 531348 ) on Monday July 21, 2008 @07:33AM (#24272145) Homepage

    5 pages of URLs and not a single nude picture! How is that possible??

  • by teshuvah ( 831969 ) on Monday July 21, 2008 @07:49AM (#24272335)
    At least we know AT&T isn't leaking our MMS messages.
    • Re: (Score:3, Insightful)

      by db32 ( 862117 )
      Of course they aren't. They had to redesign their network for the wiretaps.
  • by flux ( 5274 ) on Monday July 21, 2008 @08:14AM (#24272617) Homepage

    And how do search engines find the pages? Not likely via links, or if they do, what's wrong with that? I believe the most plausible explanation is that the viewers of such pages are using Google Toolbar or a similar tool, which I believe can report (reports all the time?) viewed pages to Google, so it can index then, even if they don't have any inbound links.

    The lack of robots.txt is an oversight, though.

    But why should a secret URL not be a decent security feature? Especially if they don't have outbound links that could put them into another server's log in the form of the Referer-field of the header. Why is it an advantage that part of the URL is moved to web page credentials? The pages themselves can still be in plain text (or are they SSL-protected?) and any system between the client and the server can see the credentials no matter where they are put. There is the slight difference that a server more commonly logs only the URL, not the password, but that's just another configuration issue and not in my opinion any real security; an attacker could modify the web server produce any kinds of logs he wanted.

    I did try, with one such URL, to find its inbound link with Google's linkto-search, but found nothing. This does suggest a tool such as Google Toolbar or manual page entry was used to get the pages in. The low number of images found this way suggests this too.

    If the providers had a page that linked to all the MMS images that way, now that would have been a grave mistake. But relying on secret URLs on a plain text medium in any case, is not. The search engines have no magic fairy dust in them to help them find such pages - and they sure aren't brute forcing the web..

    • by IceCreamGuy ( 904648 ) on Monday July 21, 2008 @08:33AM (#24272831) Homepage

      But why should a secret URL not be a decent security feature?

      You seem to be a proponent of security through obscurity; please hand over your /. gun and turn in you nerd badge.

      Seriously though, when I take a picture on my mobile phone and upload it to my provider's site, I feel like it's understood that someone would need a password to see my media. Hiding a password in a URL isn't an option because of the reason you so clearly outlined with services like Google Toolbar.

      • Re: (Score:2, Insightful)

        by flux ( 5274 )

        What is username/password if not security via obscurity then? You can brute force them just as easily you can brute force an URL.

        How can it be the service provider's fault that the viewer of the media openly sends information on the pages to the world?

        And this MMS-hole is as old as MMS is; when MMS-messages weren't supported by all the phones (I suppose that can be the case today too), an SMS with the URL was sent instead. No username/password was associated with the service provider, you had your phone num

        • What is username/password if not security via obscurity then? You can brute force them just as easily you can brute force an URL.

          Fair enough, the more I think about it the more I understand your point.

          • by fractalus ( 322043 ) on Monday July 21, 2008 @11:15AM (#24275751) Homepage

            Theoretically speaking, a secret string in a password and a secret string in a URL should be equivalent, since they both require "something you know". The difference is that URLs are not generally treated as secrets, so your browser handles them differently. Your browser automatically records all URLs, but generally ASKS before remembering passwords. Also, your users may not realize URLs with secrets in them should be treated differently; they may pass the URLs around to their friends without realizing they're supposed to be "secret". Finally, it's usually easier to assign individual passwords to users (and thus revoke them when leaked) than to assign individual URLs to users.

            So it depends on your use. It's not always a bad thing, and in environments requiring only minimal security it can be "good enough" in exchange for high convenience. Just don't consider it the same as an actual password.

      • You seem to be a proponent of security through obscurity; please hand over your /. gun and turn in you nerd badge.

        But if he puts his hand over his slashdot gun in the presence of mobile photos, it's likely to go off! You're putting the whole community in danger!

    • The lack of robots.txt is an oversight, though.

      I wouldn't say lack:
      http://pictures.sprintpcs.com/robots.txt [sprintpcs.com]

      As you said yourself, the low number of hits suggests that these pages are not being indexed in the normal fashion. The fact that there are only 108 hits from a network with over 50 million subscribers is a pretty good hint that the robots.txt is functional.

      Its just that it doesn't guarantee 100% that your stuff will stay hidden.

  • Oh my god, google leaked private picasa photo albums : http://www.google.com/search?q=picasaweb.google.lt+inurl:authkey&hl=en&filter=0 [google.com]
  • boobies (Score:4, Funny)

    by Deadplant ( 212273 ) on Monday July 21, 2008 @09:07AM (#24273333)

    I've got some +1 informatives to hand out here... somebody go find me some pictures of naked ladies!

  • I don't have MMS on my Sprint plan, but people sometimes send me them. When that happens, I just get a link I put in my browser.

    I was always a little disheartened that I didn't have to authenticate myself

  • Fortunately, you're also able to reply straight from the Sprint web interface. Let the customers know that Sprint is leaking pictures this way.
    Let it get media attention!

    You can even get the full resolution pictures by editing the URL for the photos: http://pictures.sprintpcs.com/mmps/IDENTIFIER_GOES_HERE/2.jpg?partExt=.jpg&&&outquality=100&ext=.jpg&&limitsize=8000,8000&squareoutput=255,255,255 [sprintpcs.com]
    If the original is smaller than 8000x8000, you'll get the picture in the original r
  • People - MMS messages are simply open, and that's all there is to it. You cannot expect people to authenticate to view them, as the best you could hope for is some wonky one-time password sent along with the message there was an MMS they could look at, and which users would not stand for. You have to let them be viewed on the web because a number of phones (not just the iPhone) do not support MMS or even images. Since all you have is a number you are sending it to you don't necessarily have a good email

    • by ivan256 ( 17499 )

      Meanwhile I can always send users a picture by email with confidence that picture is not anywhere on the web.

      That's [computerworld.com] pretty [cnn.com] funny [betanews.com].

      • Oh you joker!

        Compromised systems where you store data is a totally different issue than designing a system where anything you transmit is put up for the world to see. One is a bug, one is by design...

        Generally my statement holds true - at any given moment I may send an email with confidence there is not a link the general public may use to view it easily, which will never ever be the case with MMS - because that's just how it works.

        • I wasn't joking, and you're wrong.

          You can be 100% certain that your MMS message is open to the world to see, sure. But you can never be 100% certain that your e-mail message is not visible to the general public unless you encrypt it, because you have no control over the transmission or the receiving server.

          If you are confident that the unencrypted e-mail you send is only visible to the intended recipient, you are (and there's no nice way to say this) a fool.

          • Re: (Score:3, Insightful)

            by SuperKendall ( 25149 )

            I am confident the message I send is intended not to be seen by anyone but who I intended to see it.

            I am confident the MMS message I might send is meant to be seen by others.

            And that is all the difference. You are nitpicking fine details of the possible security weaknesses, while totally missing the big picture.

          • Private != secure most of the time. Sad but true.
    • by yermej ( 985079 )

      You cannot expect people to authenticate to view them, as the best you could hope for is some wonky one-time password sent along with the message there was an MMS they could look at, and which users would not stand for.

      This is exactly what ATT does with MMS messages I've received. I guess it could be seen as annoying, but it seems better than the alternatives. You could even argue that they want it to be annoying. I would imagine that people who complain are told it's for security purposes and to make thi

  • http://blog.mailchannels.com/2008/07/update-o2-leaking-customer-photos.html [mailchannels.com]

    Now that O2's MMS servers are offline, it's safe for us to announce a more serious vulnerability that permitted the easy discovery of thousands of truly private MMS messages including videos. See the blog link for more details.

  • Careful: I did a bunch of searches with the inurl command on Sprint's site, and three hours later my users on my NAT'ed network were being challenged with CAPTCHAs on Google!

    They were getting the message

    We're sorry... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

    along with being asked to fill out a CAPTCHA each. Thy were suspicious of filling it out, didn't know what to do and called the help desk!

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...