O2's web application that allows users to view MMS messages on the Internet instead of on non-MMS capable or enabled phone (like the Iphone), requires no authentication to view.
Whilst it's difficult for a simple user to guess the URL parameters needed, Google has no such difficulty scanning the site and indexing customers MMS messages.
Security through obscurity is as almost as insecure as no security at all.
You can view the search results here.
Informationweek first reported the story and has spoken to a security specialist who believes the URL information was possibly picked up by users running the Google toolbar.
The toolbar will store URLs that users visit, and add it to the search engine's index.
However, INQ hack Tony Dennis has contacted some of the affected punters and has uncovered some alarming information.
One victim of the O2 security leak is a young mother called Sarah who lives with her family in Leicester.
The hacked MMS message contained a picture of her young daughter when she was two years old (she is now four). Sarah told the INQUIRER, "I am completely shocked and confused. I thought messaging was private. I don't think I'll be able to send another picture message again as I don't know where it will end up. I'm absolutely disgusted."
Sarah also revealed that she doesn't even own a PC herself and was terrified at the thought that the picture could end up on Facebook - something we're all fearful of.
The same security analyst has stated that he believes that someone at the company is aware of the problem and has been trying to cover it up - people have been posting information on the problem on the public O2 forums, and these posts have subsequently vanished.
Considering the core methodology behind the 'security' - basically a randomised 16-digit alpha-numeric code, we believe it won't take very long until someone devises a method of enabling all stored MMS' to be viewed.
A brute-force attack utilising a random alpha-numeric generator which then confirms the resulting page is viewable (it otherwise errors), would allow an index of pictures to be created.
No doubt that a 16-letter combination is a considerable effort, and we suspect O2's MMS servers will shortly go down under the load of enterprising hackers with little regard to efficiency.
We'd advise you start deleting your stored MMS messages now.
We've also noted that O2's web server is utilising Apache Tomcat - a Java Servlet container. Considering the levels of off-the-shelf security available for this application container, we're amazed that the development team has allowed this form of blatant intrusion.
We're also surprised that a robots.txt file hasn't been used to at least attempt a cover-up of the insecure methods put in place (though this may have been bypassed due to the Google toolbar theory).
This hack has many years experience in enterprise-Java software development, O2 you're free to contact us if you need advice.
We suspect the phone numbers on view would have received a fair few text messages so far. µ
O2 allows MMS pictures to be seen by all
By Dean Pullen on Jul 21, 2008 10:35AM