ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Trivial security flaw in popular iPhone app leads to privacy leak

By | March 30, 2010, 12:23pm PDT

Summary: A trivial security flaw within a popular photo sharing iPhone app known as Quip, has exposed thousands of shared photos, with repositories of them — including the naked ones — already circulating across the Web.

A trivial security flaw within a popular photo sharing iPhone app known as Quip, has exposed thousands of shared photos, with repositories of them — including the naked ones — already circulating across the Web.

Addy Mobile, Inc, the company behind the application, is coming under harsh criticism due the fact that the flaw and its active exploitation has been known for a few months, possibly longer, with no actions taken to ensure that it can no longer be abused.

More details on the flaw, including a statement from Quip’s founder:

Basically, every time someone is sharing a photo, it’s uploaded on Quip’s web server using just 5 random letters and digits for generating the URL, allowing a potentially malicious user to use brute force and obtain private photos exchanged between Quip’s users with no technical sophistication.

Moreover, not only were the URLs easy to brute force, but also, the URLs weren’t even instructing search engine crawlers to skip them, resulting in a small number of them appearing in Google’s index.

The founder of the company issued the following statement in response to the flaw:

  • “Hello, this is Ish, the founder of Addy Mobile, makers of the Quip app.As soon as this post came to our attention, we immediately shut down our servers. We have also now disabled all S3 access and have started to systematically secure all files in the system. We will not bring the system back up until we have adequate security around all files shared over Quip. I apologize to our users for this security breach and promise we will do everything in our power to make sure none of their information is exposed once we bring the service back up. The vision for Quip has always been to provide users a quick, simple, and affordable way for iPhone users to send picture messages without paying exorbitant carrier fees. We are a small company (3 people) but we will work as quickly as possible to bring back the service up in a safe and secure manner.”

According to Quip’s description, millions of people have already shared photos using the service. Quip’s server is currently offline.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple iPhone, Privacy, Founder, Server, Photograph, Quip, Security, Viruses And Worms, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
46
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Trivial security flaw in popular iPhone app leads to privacy leak
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Trivial security flaw in popular iPhone app leads to privacy leak
Loverock Davidson 30th Mar 2010
has exposed thousands of shared photos, with repositories of them ? including the naked ones

I'd like to see the Proof of Concept code for this one.
0 Votes
+ -
Proof of concept
hill60 Updated - 30th Mar 2010
Don't upload your photo's to an insecure server.

Buyer beware do a little homework first.

OMG people can see the photo's I uploaded from my phone on the Interwebz!!!

I bin haxxorred!!!!
0 Votes
+ -
Would you bash Windows for a security flaw in ImageShack?
AzuMao 30th Mar 2010
Because that's what level you've just sunk to.
0 Votes
+ -
Wouldn't bash Windows
Tholian_53 31st Mar 2010
Because Microsoft and Windows just provide the playground unlike Apple Almighty.

Apple Almighty not only provides the playground but have proclaimed themselves the police of what can run on that playground. It requires their "Approval" so, YES! They are fundamentally liable in entirety.
0 Votes
+ -
They don't run that website.
AzuMao 31st Mar 2010
0 Votes
+ -
They approved the app (nt)
rtk Updated - 31st Mar 2010
.
0 Votes
+ -
There's nothing wrong with the app.
AzuMao 31st Mar 2010
0 Votes
+ -
Not Apples problem. Say "cheese"
MacNewton 30th Mar 2010
If you're going to use a photo app to send your girlfriend
your bedroom photos, your just asking for problems. But you
could sue the App maker for a few bucks. Apple is protected
by there Terms and conditions.
0 Votes
+ -
But surely Apple saw this...
storm14k 31st Mar 2010
..when they reviewed the app in their strenuous
review process right?
0 Votes
+ -
Apple's walled garden app store
rtk 31st Mar 2010
means they are at least partially culpable for this privacy breach.

Could very well be yet another lawsuit in Apple's future.
0 Votes
+ -
Try again.
AzuMao 31st Mar 2010
Apple review the stuff in their AppStore, not the security of third-party websites you choose to upload naked pictures of yourself to.
0 Votes
+ -
Quiptxt
rtk 31st Mar 2010
is a webservice and site tied directly to the app, it's a package deal that Apple approved.
0 Votes
+ -
Following that logic..
AzuMao 31st Mar 2010
..Internet Explorer is a package deal tied directly to Windows, so
if I upload naked pictures of myself to ImageShack with it and
someone sees them and thinks I'm ugly, I can sue Microsoft.
0 Votes
+ -
If MS approved, hosted and sold
rtk 31st Mar 2010
an ImageShack app, you'd have a point.

The app and service were approved by Apple into their walled garden and sold by Apple to Apple's users, they hold some culpability in the matter.
0 Votes
+ -
Internet Explorer was added to Windows by Microsoft..
AzuMao 1st Apr 2010
..and it can be used by me to post naked pictures of myself onto ImageShack.

Quiptxt was approved by Apple (but not installed by default) and I can use it to upload naked pictures of myself too.


I can't sue Microsoft for this, but I can sue Apple for it?
0 Votes
+ -
IE and quiptxt
rtk 1st Apr 2010
are different, like ntpd and browsers are different, but I know you don't or can't understand this concept.
0 Votes
+ -
I never said they were the same. I said they both can be used to upload..
AzuMao 1st Apr 2010
..naked pictures onto the Internet, that they are both approved by the
creators of the operating system they run on (IE by Microsoft, Quiptxt
by Apple), and that what happens to the pictures once you've uploaded
them to a website on the Internet isn't Microsoft's or Apple's fault.
0 Votes
+ -
IE is a browser, quiptxt is not
rtk 1st Apr 2010
if quiptxt was a browser, you'd have a point.

If MS delivered a product called Imageshack Explorer that's sole purpose was to upload pictures to Imageshack, you'd have a point.
0 Votes
+ -
They can both be used to do the thing mentioned in the article..
AzuMao 1st Apr 2010
..and both have the same "problem" when doing it.


IE can do other things, but those other things have nothing to do
with the problem mentioned in the article; that if you upload naked
pictures of yourself onto a website strangers might find them.
0 Votes
+ -
If there's nothing wrong with the app
rtk 1st Apr 2010
why has it been removed from the app store?

Internet Explorer is still around.
0 Votes
+ -
Maybe because it was a pointless app.
AzuMao 2nd Apr 2010
Doesn't iPhone already have Safari for accessing web sites?
0 Votes
+ -
If it was a pointless app
rtk Updated - 2nd Apr 2010
why was it approved in the first place, and why was it installed (from Apple's walled garden of approved and endorsed apps) by people?

If it was removed because it was pointless, Apple's got a lot of work on their hands if that's the standard they plan on retroactively applying to the app store.

Doesn't iPhone already have Safari for accessing web sites?

Yup, what it no longer has is a dedicated app for sharing via quiptxt, since it's been removed following the exposure of the failings of the app and service to protect the privacy of it's users, something Apple should have clearly noticed when they reviewed the app (provided they actually used it at least once).
0 Votes
+ -
Good question.
AzuMao 2nd Apr 2010
I'd always thought the AppStore was like a whitelist (proactive).

Maybe it's actually a blacklist (reactive)?
0 Votes
+ -
Don't upload pictures
CathyCC 30th Mar 2010
So people are uploading pictures of themselves to websites... and that is a "security flaw" ???

Don't upload them.
0 Votes
+ -
But "stop posting naked pictures of yourself on the Internet" wouldn't..
AzuMao 30th Mar 2010
..make for a very interesting headline.
0 Votes
+ -
I thought the app review process....
storm14k 31st Mar 2010
...was supposed to catch all of this stuff. Its SOOO much
better than being open about the apps allowed right?
0 Votes
+ -
There's nothing wrong in the app.
AzuMao 31st Mar 2010
If you upload naked pictures of yourself onto third party websites on the Internet somebody might see them is all.
0 Votes
+ -
Oh, but there is
rtk 31st Mar 2010
and they've already admitted it.
0 Votes
+ -
No. Some third-party website similar to ImageShack has a problem.
AzuMao 31st Mar 2010
Pictures uploaded to that website can be viewed by other people.
0 Votes
+ -
For those of us not living in AzuWorld.
rtk 1st Apr 2010
Pictures uploaded by the App approved by Apple contain a massive privacy fault.
0 Votes
+ -
What massive privacy fault do the pictures contain?
AzuMao 1st Apr 2010
And what is wrong with the uploader?



p.s.
These are two separate questions.
0 Votes
+ -
There's not two separate questions
rtk 1st Apr 2010
The first is your usual word games, it's clear what I meant.

And if it wasn't, the app and it's service were responsible for the massive privacy glitch.

An app and service approved, hosted and therefore endorsed exclusively on Apple's app store.
0 Votes
+ -
@rtk The third party website (similar to ImageShack) which had the problem
AzuMao 1st Apr 2010
isn't hosted by Apple, and isn't in their AppStore.


Also, I did ask two questions.

You said "Pictures uploaded by the App approved by Apple contain a
massive privacy fault.", so I asked what the massive privacy vault
contained in the pictures was.

I also asked what was wrong with the app, in response to the statement
that something was wrong with it (the app, I mean, not the website).

Neither of these questions have been answered.

Are you going to answer them or just keep flaming me?
0 Votes
+ -
You're predictable.
rtk Updated - 1st Apr 2010
"Pictures uploaded by the App approved by Apple contain a massive privacy fault.", so I asked what the massive privacy vault contained in the pictures was.

The upload process included the privacy blunder, you know it, I know it, and your attempts to play word games are noted and rejected.

You'll come off looking a lot smarter if you quit playing dumb so often. Just a free word of advice for ya.

Neither of these questions have been answered.

Read the article.

Are we going to play the last word game again? 10 letters this time.
0 Votes
+ -
double post NT
AzuMao Updated - 2nd Apr 2010
0 Votes
+ -
What are you going on about now, rtk? Can't you just answer?
AzuMao 2nd Apr 2010
The upload process included the privacy blunder, you know it, I know
it, and your attempts to play word games are noted and rejected.

What word games, and what was wrong with the upload process?



Yes, if you keep making claims with nothing to back them up, and avoiding
my resulting questions, I'm going to ask them again. If you knew that
then why didn't you answer them?
0 Votes
+ -
The app has been removed from the app store
rtk 2nd Apr 2010
and the service is offline.

The questions you asked are answered in the article, so RTFA.
0 Votes
+ -
Could you please quote the part of the article that says..
AzuMao 2nd Apr 2010
..there is a problem with the pictures and the app?


The impression I got was that the app worked fine, and that the problem existed in a third party website.
0 Votes
+ -
The app worked
rtk 2nd Apr 2010
but my point is that it should have been clear to Apple when they approved it that it worked in a way that failed to protect the privacy of it's users.
0 Votes
+ -
How so? Spill the beans already.
AzuMao 2nd Apr 2010
What is insecure about the app?
0 Votes
+ -
Ask Apple or quiptxt
rtk 3rd Apr 2010
because the reality is it wasn't removed because it was pointless as you claim, it was removed due to the privacy bug widely reported.
0 Votes
+ -
What is the widely reported privacy bug in the app?
AzuMao 3rd Apr 2010
The article mentions a problem with their website (that the URLs are short so it's easy for people to browse through them), but nothing about the app.
0 Votes
+ -
The app and web service
rtk 3rd Apr 2010
are a package.
0 Votes
+ -
OH. My bad.
AzuMao 3rd Apr 2010
I thought the website was standalone and could be accessed by any browser.
0 Votes
+ -
Private Photos? Who cares
drobinow 31st Mar 2010
What will the paranoid security freaks think of next?
Hint: If you don't want to share, don't post.
0 Votes
+ -
RE: Trivial security flaw in popular iPhone app leads to privacy leak
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix