Trivial security flaw in popular iPhone app leads to privacy leak

Addy Mobile, Inc, the company behind the application, is coming under harsh criticism due the fact that the flaw and its active exploitation has been known for a few months, possibly longer, with no actions taken to ensure that it can no longer be abused.

More details on the flaw, including a statement from Quip's founder:

Basically, every time someone is sharing a photo, it's uploaded on Quip's web server using just 5 random letters and digits for generating the URL, allowing a potentially malicious user to use brute force and obtain private photos exchanged between Quip's users with no technical sophistication.

Moreover, not only were the URLs easy to brute force, but also, the URLs weren't even instructing search engine crawlers to skip them, resulting in a small number of them appearing in Google's index.

The founder of the company issued the following statement in response to the flaw:

• "Hello, this is Ish, the founder of Addy Mobile, makers of the Quip app.As soon as this post came to our attention, we immediately shut down our servers. We have also now disabled all S3 access and have started to systematically secure all files in the system. We will not bring the system back up until we have adequate security around all files shared over Quip. I apologize to our users for this security breach and promise we will do everything in our power to make sure none of their information is exposed once we bring the service back up. The vision for Quip has always been to provide users a quick, simple, and affordable way for iPhone users to send picture messages without paying exorbitant carrier fees. We are a small company (3 people) but we will work as quickly as possible to bring back the service up in a safe and secure manner."

According to Quip's description, millions of people have already shared photos using the service. Quip's server is currently offline.