Mobile Network Operators have been providing SMS text messaging capabilities for years but it’s only recently that MMS (Multimedia Messaging Service) enabled cell phones have become more popular. It allows an owner of the phone to take a photo and immediately send it to another MMS enabled cellphone. So what happens if a MMS enabled phone sends an e-mail to a non-MMS phone? Well, the mobile operators have thought of that and can host the images on their website and notify the user by text message or e-mail that a new photo is available to view.

You may assume that if you use this service to send a photo to a friend that your photo is protected and not broadcast for the entire world to see. Unfortunately, this may not be the case if there isn’t proper authentication, such as username and password login, to the mobile network operators website that’s hosting the images and here’s an example of that case…

UPDATE – Full details of O2 MMS vulnerability revealed. Click here to read our latest blog post on this

Earlier today, we received an e-mail from O2 that was sent to an incorrect recipient. It’s quite likely that an e-mail address was entered incorrectly by the person setting up the account. I was surprised that we were able to view the image without having to login to the website but figured a strict combination of a unique user id number and unique image id would be required making it incredibly difficult to guess. After all, it wouldn’t be possible to access these images without receiving a misaddressed e-mail, right? Wrong!

I looked at the URL in the e-mail and found the only requirement was a 16 digit hex number. [Update: A few readers pointed out that a 64-bit key results in a HUGE number of possibilities to guess 10^19. However, as I can obtain the keys via another security hole no guessing is required – I’m not going to release that information yet as I’d like O2 to fix this]. As these web pages were wide open to the internet, not requiring any authentication a very small handful were indexed by Google. I was able to craft a Google search that results in some matches to show an example of how this is an insecure method of hosting:

Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to “Protect Our Children”, well a good first step would be to avoid leaking customer photos.

Update: Someone posted this story to the O2 Customer Forum website but the thread has mysteriously disappeared. Hmmm….I wonder why? The thread discussing this in the forum was here but now simply returns “The topic or post you requested does not exist” webpage. Google did manage to grab it….

Since then I’ve found the follow discussion of the issue on the O2 Customer Forum that hasn’t yet been removed…..

8 Responses to “O2 Leaking Customer Photos?”

  1. July 18, 2008 at 12:57 pm, Ken Simpson said:

    InformationWeek just covered this story – see

  2. July 18, 2008 at 11:04 pm, bvdbos said:

    Of course this is a major blunder of O2. However, please refrain from the phrase “Worse still, the majority of the images taken on cameras turns out to be children.”. In the USA and in Europe our privacy is thrown overboard for sake of “terrorism” and “children” (plus “mp3” in the USA) while there’s nothing remotely related to child-pornography with these photo’s.

  3. July 19, 2008 at 12:42 am, Jon Dowland said:

    "Worse still, the majority of the images taken on cameras turns out to be children."

    May I summarize the following slashdot comment in response:

    "What [nonsense] is it that pictures of children need to be removed from the world?

    There is no evidence that pictures of children place them at risk. Can we please stop and reverse this meme that there is anything wrong with taking pictures of children?"

    Some of the other comments are worth reading too: such as, there are about 40 pictures, not thousands, and they have all been posted publically (on boards, forums etc.) by the person who took the picture in the first place.

    A nice attempt to stir up a storm.

  4. July 19, 2008 at 6:18 am, Dougie Lawson said:

    O2 have fixed this in a very crude, but effective way, now gets a 404.

  5. July 19, 2008 at 5:20 pm, Joe said:

    You have also been Slashdotted.

  6. July 19, 2008 at 9:42 pm, Noam said:

    Apparently O2 removed the application/directory or mover it to somewhere, where google doesn’t currently index

  7. July 20, 2008 at 6:07 am, [email protected] said:

    As the author of the “o2mms” web application which acted as a proxy to the official O2 mms2legacy platform to present the messages in a more iPhone friendly format I’m somewhat shocked they hadn’t implemented authentication on these pages.

    My application did not rely on this vulnerability (it passed the authentication data along even though, clearly, it wasn’t needed!) and ironically although O2 users images were also stored temporarily on my own servers – accessing them required authentication and these images could only be viewed by the intended recipient.

    If I considered the potential risk in an application I built in a couple of days… how did a company the size of O2 not notice this!?!?

  8. July 21, 2008 at 3:33 pm, Phil Whelan said:

    Make sure you read the latest post on this. It has information that I think is much more of a security problem. We were able to see quite a lot of very private MMS messages going across the wire via their unprotected online access logs.

    Update: O2 Leaking Customer Photos

Leave a Reply