Mobile Network Operators have been providing SMS text messaging capabilities for years but it’s only recently that MMS (Multimedia Messaging Service) enabled cell phones have become more popular. It allows an owner of the phone to take a photo and immediately send it to another MMS enabled cellphone. So what happens if a MMS enabled phone sends an e-mail to a non-MMS phone? Well, the mobile operators have thought of that and can host the images on their website and notify the user by text message or e-mail that a new photo is available to view.
You may assume that if you use this service to send a photo to a friend that your photo is protected and not broadcast for the entire world to see. Unfortunately, this may not be the case if there isn’t proper authentication, such as username and password login, to the mobile network operators website that’s hosting the images and here’s an example of that case…
Earlier today, we received an e-mail from O2 that was sent to an incorrect recipient. It’s quite likely that an e-mail address was entered incorrectly by the person setting up the account. I was surprised that we were able to view the image without having to login to the website but figured a strict combination of a unique user id number and unique image id would be required making it incredibly difficult to guess. After all, it wouldn’t be possible to access these images without receiving a misaddressed e-mail, right? Wrong!
I looked at the URL in the e-mail and found the only requirement was a 16 digit hex number. [Update: A few readers pointed out that a 64-bit key results in a HUGE number of possibilities to guess 10^19. However, as I can obtain the keys via another security hole no guessing is required - I'm not going to release that information yet as I'd like O2 to fix this]. As these web pages were wide open to the internet, not requiring any authentication a very small handful were indexed by Google. I was able to craft a Google search that results in some matches to show an example of how this is an insecure method of hosting:
Worse still, the majority of the images taken on cameras turns out to be children. Ironically, O2 has a website dedicated to “Protect Our Children”, well a good first step would be to avoid leaking customer photos.
Update: Someone posted this story to the O2 Customer Forum website but the thread has mysteriously disappeared. Hmmm….I wonder why? The thread discussing this in the forum was here but now simply returns “The topic or post you requested does not exist” webpage. Google did manage to grab it….
Since then I’ve found the follow discussion of the issue on the O2 Customer Forum that hasn’t yet been removed…..