Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos 94
fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? Do you support publishing them if they are not fixed in a reasonable time?
Careful (Score:5, Informative)
Re: (Score:2)
It probably is all too common, but fixing it is completely easy:
1) get user id from logged in session, else return must login error
2) get photo id from URL and query db "exists where userid=X and photoid=Y", else return access denied error
It's trivially easy and f*ing negligent that anyone wouldn't do this.
Re: (Score:1)
It's probably based off wordpress, so it literally will be impossible to fix.
Re: (Score:2)
If they didn't design an app that has a concept of permissions even being *possible* then they have no business running a website like this.
Otherwise, yes, it is not hard to fix! And even granting that it were more difficult than one would ordinarily expect, the cost/benefit and risk/reward equations make it imperative to do so.
Re: (Score:1)
http://upload.artisanstate.com/upload/UploadServer/GetRenderImage?imageID=21470776
Re:Careful (Score:5, Informative)
Re: (Score:2)
Don't forget this nice Slashdot story:
http://yro.slashdot.org/story/... [slashdot.org]
An anonymous poster stated: "I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents." He spoke customer service agents, escalated to a supervisor, and was told he would get a call back, but he never heard anything else. "I'm trying to be responsible and
Re: (Score:1)
Please cite the criminal code.
Thank you.
Re: (Score:3)
Re: (Score:1, Troll)
That's cool. I'm not under the jurisdiction of USA. Neither is 95% of the worlds population.
I'm pretty sure the Chinese Government doesn't care if it's citizens hack in to American companies websites. Not that this really counts as hacking.
Re: (Score:3)
That's cool. I'm not under the jurisdiction of USA.
That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'
Re: (Score:1)
That's cool. I'm not under the jurisdiction of USA.
That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'
To explain why the poster made those points, to be extradited requires not only that the country from which the person is being extradited has an extradition treaty, but also that the country has a similar law to the US law being broken, namely if the person had done the act against someone or something inside their own country it would also have been illegal there.
And for those who do not know, many countries, like Russia, will not allow their citizens to be extradited, so if someone in such a country hac
Re: (Score:2)
about 80% would extradite to the US though.
unfortunately.
or the company could pursue the local similar laws.
in this case though very unlikely, because there's too many people to prosecute it's likely that nobody will be prosecuted.
Re: (Score:2)
When was the last time USA extradited someone in China for hacking? They just blame it on the Chinese government, say boohoo, no sanctions for you, because we need you more than you need us.
Re: (Score:3)
No.
The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?"
There is, and a person doesn't even have to be logged in to view those photos.
There's nothing illegal about that. The photo at 21470800 has no accompanying narrative that even hints that a person should not be there.
Most people on /. are familiar with the Computer Fraud and Abuse Act, 18 U.S.C. 1030 and it does not apply here.
The a
Re: (Score:2)
The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?" There is, and a person doesn't even have to be logged in to view those photos. There's nothing illegal about that.
Well yes, it seems like a perfectly natural thing to do. And yet people have been arrested and gone to jail for it. Search the internet or read the other posts in this story if you want to free yourself from ignorance.
Also, nice sig.
Re: (Score:2)
I'm in the business, so I've already jumped that hurdle.
Re: (Score:2)
Re: (Score:2)
"Similarity" is not a legal concept. The Computer Fraud and Abuse Act, 18 U.S.C. 1030 does not have a provision for similarities.
Re: (Score:2)
Re: (Score:2)
I went the "or something" route and digested the law and attended a seminar regarding same, just like most IT professionals have.
We can't manage and comply with what we don't understand, as obviated by your example.
Re: (Score:2)
Re: (Score:2)
I did not get a PHD in the subject.
I apologize for my shortcomings.
Re: (Score:2)
Re: (Score:2)
So anyway, they fixed it and anyway, here's your fail:
The link (before they fixed it) displayed only one thing: A photo.
There was no narrative either above, or below, and no narrative on either side of the photo.
Incrementing that number by one or decrementing by one (or multiples thereof) produced more photos but no narratives.
You're telling me I'm driving in a school zone but it's a secret.
Here's a truncation of the link above that DOES provide narrative:
http://upload.artisanstate.com/upload/ [artisanstate.com]
I modified a U
Re: (Score:2)
Re: (Score:2)
No, it's not the law that's irrational here.
That's why you failed to answer the question.
Re: (Score:2)
That's why you failed to answer the question.
Hey genius, you forgot to ask a question.
Also, you really entertain me. You say people can't go to jail for this kind of thing, whereas people already have.
Re: (Score:2)
I'm not going to jail and here's on you:
Show me where that's illegal.
Re: (Score:2)
To add to the discussion regarding 18 U.S.C. 1030, I will note that this website does not affirmatively note anywhere that these photos are to be considered private.
Re: (Score:1)
18 U.S. Code 1030(e) defines "protected computer" as "a computer which is used in or affecting interstate or foreign commerce or communication". This essentially means any computer connected to the Internet.
Changing the URL to access information the user was not intended to have access
Re: (Score:2)
Rationality and common sense agree with you. Unfortunately, US and UK case law (amongst others) does not . . .
Re: (Score:2)
That would fit, but only if it was normal to find cars parked in abundance that are unlocked and welcome people to open the door and get in. As it stands, the only reason to try a car door is if you are authorized to enter, or have malicious intent.
Re: (Score:2)
Please cite the criminal code.
It would just be lumped in under that nebulous "unauthorized access to computer systems" of 18 USC 1030 [wikipedia.org].
Re: (Score:2)
So, you're saying that law prohibits me from going to www.cnn.com/jdjdh##%^hndj, right?
Re: (Score:2)
Doing the right thing and informing people of their security holes also counts as pissing them off and has landed people in jail.
If Kafka was writing today he's probably do a story on one of those insane trials.
Re: (Score:2)
Incrementing a parameter in a URL by one has nothing to do with AT&T. I'm on TWC and it worked. I'm on Verizon and it worked.
The company hosting the photos can be pissed all they want. That doesn't matter. It's not illegal. The site is working inside the parameters and restrictions as applied by the company.
The valid concern regarding a pissing contest is between the company and its customers.
Re: (Score:2)
One of the examples given by another poster was some poor bastard that went to jail for "hacking" AT&T by changing a URL and then contacting AT&T to tell them they had a problem.
Don't trust any website (Score:2)
I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?
The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.
Re: (Score:2)
The article asks:
I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?
The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.
I assume that whoever is speaking in the article has a job / contract to prepare these photos for clients who have requested that they upload the photos to the service. In that case leaving them off the Internet is not an option.
Re: (Score:2)
Obviously the photos aren't that private (the Asian girl), since I put them on Slashdot's front page. But the others ones (now seeing the lax security) it will be worth for me to invest in a good printer and print on my own.
Re: (Score:2)
Artisan pizza? No thanks, carpenters are chewy. (Score:2)
So you have a poor vocabulary. Try watching something other than Fox news.
Of course it's possible you live in a place full of fuckwits and they just use the noun as an adjective. Artisan sandwich? Are they cannibals round here?
Re: (Score:2)
My favorite is when people mispronounce / misspell artisan as artesian.
I always ask them what those pastries/bread/haircuts/etc. have to do with natural water wells :-)
Re: (Score:2)
It's the pressure man!
My pet hate now is I live in a suburb on a bend on a river and a pile of trendy people are calling it a "village" on a "peninsula".
Full Disclosure is the only way... (Score:3)
Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.
Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.
Re: (Score:2)
For example, if you find a vulnerability in Squid, and an admin can defend against the vulnerability by disabling a particular extension, then you are leaving users defenseless by not disclosing it. It's irresponsible to keep it secret, because black-hats out there may already be exploiting it.
Re: (Score:2)
I've reported serious vulnerabilities to a number of companies in the past. Generally, they acknowledge receipt of the information but do nothing to fix the problem -- e.g. a race condition, a SQL injection vulnerability, etc etc. However, when I've posted information on reddit or other internet forums, the bugs tend to get fixed rather quickly.
Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.
Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.
I hope you make the contacts anonymously, because bad things tend to happen to whistle blowers. The "shoot the messenger" philosophy is alive and well in many companies and governments.
Re: (Score:2)
Thank you, this is the discussion I hoped would come out of this article. Fact is, people on Slashdot are definitely going to stumble onto this type of stuff over and over. I'm glad to run into other people to compare scruples with.
Hackers (good word) have an instinct. If they run into an awesome API, the first thought is: how do I maximize this across all the limits and make something amazing? But with vulnerabilities, and unintended code paths, you need to step back and understand the consequences of what
Re: (Score:2)
5 days seems crazy quick.
Agreed. 30 days notice seems to be sort of the minimum norm for advance notice before disclosure.
Handled very well ... (Score:5, Insightful)
... plenty of lead time and followup.
These issues need to be publicized when the hosting site doesn't give a fuck. Customers have a right to know.
John Oliver Already Covered This (Score:2)
Re: (Score:2)
so that... i can..... remove them
Car Analogy (Score:1)
If you see a car unlocked you tell the owner, but you don't tell everyone. If you see a flaw in the design of the door which means all of the cars will be unlocked you don't have any way to tell the owners without telling everyone.
publish (Score:3)
Re: (Score:2)
I have to support disclosure (Score:2)
In an ideal world you'd notify the vendor, the problem would get fixed and the world would move on. Alas, we don't live in ideal world. Vendors fail to fix problems. Users don't upgrade software, or can't upgrade it or are unaware they're even using it, and the vendor doesn't publicly announce the fix and the need to apply it. The threat of disclosure, and the eventual disclosure even if the vendor doesn't say anything, is the only leverage we have to make sure vendors really do fix problems and users know
fixed? (Score:1)
Looks like it has been fixed. Or at least you have to login to see anything.
Re: (Score:2)
Yup. See those gold highlights in the background in the one where they're dancing? Distinctly oval.
Oblig. Schneier essay on Full Disclosure (Score:2)
First vulnerability release on /.? (Score:2)
First time a vulnerability was disclosed on Slashdot?
Like this? (Score:1)
import requests
import random
import os
import sys
import time
sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)
tmp_pth = 'C:\\temp'
os.chdir(tmp_pth)
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"User-Agent": "Mozilla/"+str(round(random.random() * 5, 1))+" (Windows NT 6