• Categories

  • Archives

    « Home

    ZDNet: Trivial security flaw in popular iPhone app leads to privacy leak

    ZDNet reports on a security problem that has led to the invasion of some iPhone users’ privacy:

    A trivial security flaw within a popular photo sharing iPhone app known as Quip, has exposed thousands of shared photos, with repositories of them — including the naked ones — already circulating across the Web.

    Addy Mobile, Inc, the company behind the application, is coming under harsh criticism due the fact that the flaw and its active exploitation has been known for a few months, possibly longer, with no actions taken to ensure that it can no longer be abused. […]

    Basically, every time someone is sharing a photo, it’s uploaded on Quip’s web server using just 5 random letters and digits for generating the URL, allowing a potentially malicious user to use brute force and obtain private photos exchanged between Quip’s users with no technical sophistication.

    Moreover, not only were the URLs easy to brute force, but also, the URLs weren’t even instructing search engine crawlers to skip them, resulting in a small number of them appearing in Google’s index. […]

    According to Quip’s description, millions of people have already shared photos using the service. Quip’s server is currently offline.

    Leave a Reply