
Thousands of private fotos leaked, privacy disaster for Quiptxt.com users - dsplittgerber
http://www.reddit.com/r/pics/comments/bjezp/massive_privacy_fail_quiptxtcom_is_a_site_that/
======
DanielBMarkham
Two things in this story that are not new, but still amazing to me.

1) A significant portion of people love taking pictures of themselves naked.
This portion seems to be growing.

2) Another significant potion of people love publishing and making fun of
people for whatever reason they can find. These people will dig through your
trash, hack your servers, socially-engineer your passwords, etc. The more they
can publicly debase you the happier they are. This portion of the population
is also growing.

Yes, I understand the technical angle to this story is whacked security. I'm
just amazed at the comments over on reddit (I don't visit reddit very often)
From reddit I surfed over to a couple of other links (drama-a-pedia or
something?) and the festival of public debasement continues. Somebody even
mentioned hacking some girl's senior picture and uploading her naked pics. Man
that has to make you feel really special to do something like that.

~~~
jcromartie
People don't change. Everybody is a pervert or a sadist or something.
Everybody does something weird when they think nobody is looking. The
_population_ is growing, and so there is certainly more going on at any one
time, but I doubt the portion is really growing.

~~~
gizmo
The issue isn't that people enjoy weird things, it's that people do things
that hurt others, and don't feel guilty about it.

~~~
DrJokepu
I think it's more like "people like treating other people outside their reach
as objects without regards to consequences and when there are bad consequences
they feel a bit guilty about it but it's too late anyway."

------
wesley
Seems they had no security at all (just a random 5 character hash)..

Reddit users are seemingly busy sharing nsfw pictures and linking them to
facebook accounts, will probably result in a couple of suicides when all is
said and done :(

~~~
markbao
Do not confuse Reddit and 4chan.

~~~
viraptor
Well... sometimes the only difference seems to be that you cannot attach
pictures to your comments. (still - depends on the subreddit)

------
jsz0
It's interesting how quickly the wolves jump on an easy target. Some of the
comments on reddit and elsewhere I've read are talking about making throw-away
Facebook accounts to confront/embarrass people with their private pictures.
I've already seen a few names posted. I'm willing to cut people some slack for
looking at the pictures (a harmless crime, human nature) but doing the leg
work to connect anonymous pictures to a real identity to simply embarrass them
is taking it way too far.

~~~
naner
This is the typical 4chan M.O.

I like reddit so I'm a little saddened to see this behavior there but this is
another reminder that the internet isn't as segregated as we think it is.
Reddit is no gated community. Its best and worst feature.

------
frognibble
The founder of the company responded on the Reddit thread:
[http://www.reddit.com/r/pics/comments/bjezp/massive_privacy_...](http://www.reddit.com/r/pics/comments/bjezp/massive_privacy_fail_quiptxtcom_is_a_site_that/c0n3f48)

The application is described in the iTunes store:
[http://itunes.apple.com/app/quip-free-photo-
texting/id291358...](http://itunes.apple.com/app/quip-free-photo-
texting/id291358190?mt=8#)

~~~
prog
Interestingly this flaw was reported in 2009 on Digg.
<http://digg.com/security/Quip_TXT_for_iPhone_FAIL_WIN_NSFW> I am not sure if
QuitTxt tried fixing it that time.

~~~
hasanove
From the comment thread on Reddit it seems like the only thing they did, was
to ban the ip address. Clever :)

[http://www.reddit.com/r/pics/comments/bjezp/massive_privacy_...](http://www.reddit.com/r/pics/comments/bjezp/massive_privacy_fail_quiptxtcom_is_a_site_that/c0n3i8o)

------
swombat
Lesson:

If you launch something like QuipTxt, make it obvious to people that their
images are public, so that the idiots who harbour the impression that stuff
uploaded on a public URL on a free website don't come running at you with
pitchforks.

Additional benefit: more network effects.

I don't really see the difference between this service and Twitpic (hard to
tell since the site is down, though).

~~~
cryptnoob

         If you launch something like QuipTxt, make it obvious to 
         people that their images are public
    

Google Picasa stores images as public URLs without any such warning. Because
with random URL's, you effectively have passworded each image. Even more
secure than if they were all locked into a nice MySQL database, because then
they would all be behind only a single password.

I think you don't have to freak out users with too much information. The
images are effectively password controlled.

The problem here is that the passwords were too short (and sent in plain text
via SMS).

~~~
daleharvey
if you only need to guess something address to see it, it is public

~~~
cryptnoob
I disagree.

A password is not a magic spell. It's a set of letters and numbers that, if
guessed correctly, will give me access to something you wanted kept private.

An obfuscated URL is a set of letters and numbers that, if guessed correctly,
will give me access to something you wanted kept private.

Because one uses a MySQL database, and the other uses a file system, is
irrelevant. They are functionally identical when directory listing is
disabled, as it can be for Amazon S3.

~~~
davidw
Locks on houses aren't infallible either, but establish intent: "you should
not be here". Very short hashes don't do that quite so much.

~~~
patio11
I'd be interested in knowing what the length a hash needs to be to communicate
"you should not attempt to circumvent this and post the nude pictures behind
it", and also how secure a lock needs to be to communicate "you should not
attempt to jimmy this with a credit card and post the nudie pictures behind
it."

~~~
davidw
Well, to tell the truth, if there's a 'lock', it's pretty obvious you
shouldn't be doing it. If there's just a hash, it strikes me as simply a bad
idea in the first place, no matter how long it is. Someone can just do 'copy
image url' and have it work, with no challenge from the application. A shorter
hash is especially bad because it makes them easy to guess at. I'm not saying
it's "right" to copy images protected only with a hash, but it's like leaving
an expensive bicycle unlocked on a college campus in the US - it's simply not
very prudent. Of course in this case the users probably weren't aware of the
problem, and the people who made the application are at fault.

Edit: like daleharvey says, the point is really that the hash simply happens
to be difficult to find, whereas a proper application will challenge everyone
who attempts to access the resource. For instance, say Alice looks at Bob's
picture, and does "copy image url", and sends it to Carol. Carol has no way of
knowing whether it's supposed to be private or not, since Alice didn't
communicate that information.

------
oogali
I did a similar service (pktpix) about two years ago, but I used MD5 hashes.
Easily guessable URLs were the _first_ thing I thought about.

I figured since these messages were being passed around via txt, forwarded
e-mails, etc., there was no real benefit in shortening them.

------
gcanyon
A thought experiment for the large minds here: how long a string _would_ be
sufficient? I wonder if any string is long enough if you don't also implement
some sort of access control lockdown to prevent people poking your system
endlessly, but what do you think?

~~~
alecco
Security and privacy shouldn't be based on hiding a plaintext string. What
about the ISPs, browser history, and other leakage.

S3 hosting of private images was a terrible idea. It doesn't provide any kind
of protection.

~~~
Terretta
> S3 ... doesn't provide any kind of protection.

S3 offers privacy protections with the ability to require an expiring token in
the URL. The theory is the web site should authenticate a user, and only
generate a valid token for that user (for a fuzzy definition of "that" user)
that works only for a limited time.

------
prog
So what happens to QuipTxt now?

~~~
brlewis
If the past is any indication, they fix the hole and everybody forgets about
it. Then Quiptxt grows to hundreds of millions of users, just like that other
site that used only 4 random digits:
<http://www.allfacebook.com/2009/02/facebook-photos-warning/>

------
jorgecastillo
This is why you shouldn't sent or say over the internet anything that you
wouldn't show your mother and why you should try to keep your private life
separate from your internet live. If I was a user I would never again use this
service. This wasn't even a security flaw it was plain incompetence as some
redditors mentioned.

~~~
prog
> If I was a user I would never again use this service.

It would also include other services by the same management to the list :-)

------
donohoe
It seems like we should be careful here - depending on the age of those
involved (which we cannot determine for sure) these photos might legally be
child pornography.

------
chanux
We should celebrate Quiptxt day every year so that people will remember that
they have to be careful when they put private and sensitive stuff online.

------
Willie_Dynamite
Ahh, the cloud. Such a great idea.

~~~
mseebach
Less than six months ago, some internal (non-confidential, non-critical, but,
none the less, internal) documents of a client of mine showed up on Google.
The reason? They were public files in a folder on the webserver, and someone
turned on Indexes in Apache. It is the exact same problem.

Not even the shadow of a cloud (pun intended) was involved.

~~~
cryptnoob
I just had google index my ajax directory. I have a directory where I keep
ajax files. The only link to them is through my javascript ajax calls.

I was pretty surprised that Google goes through your javascript, harvesting
your ajax links.

~~~
jrockway
Well, _you_ linked to them via JavaScript. The whole rest of the Internet
might not have been that careful, though.

~~~
patio11
Pardon my SEO: Google uses both heuristics and partial execution of Javascript
these days. Linking to things only through JS is not a good method to prevent
Googlebot from stumbling upon them. I only mention this because a _lot_ of
people I know think that apparently Google's colony of well-paid supergeniuses
has not written anything since like 2004.

