Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy

Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos 94

fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? Do you support publishing them if they are not fixed in a reasonable time?
This discussion has been archived. No new comments can be posted.

Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos

Comments Filter:
  • Careful (Score:5, Informative)

    by phantomfive ( 622387 ) on Tuesday May 12, 2015 @05:51PM (#49677415) Journal
    Be careful when using this vulnerability......depending on your purpose in using it, you could be literally committing a crime. If you download the images by modifying the URL.......people have gone to jail for that.
    • Please cite the criminal code.

      Thank you.

      • That's a really weird request, but the relevant law is the Computer Fraud and Abuse Act, 18 U.S.C. 1030
        • Re: (Score:1, Troll)

          That's cool. I'm not under the jurisdiction of USA. Neither is 95% of the worlds population.
          I'm pretty sure the Chinese Government doesn't care if it's citizens hack in to American companies websites. Not that this really counts as hacking.

          • That's cool. I'm not under the jurisdiction of USA.

            That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'

            • by Anonymous Coward

              That's cool. I'm not under the jurisdiction of USA.

              That's cool. Maybe you also don't live in a country with an extradition treaty with the US. Maybe you also don't live in a country with a similar law against 'hacking.'

              To explain why the poster made those points, to be extradited requires not only that the country from which the person is being extradited has an extradition treaty, but also that the country has a similar law to the US law being broken, namely if the person had done the act against someone or something inside their own country it would also have been illegal there.

              And for those who do not know, many countries, like Russia, will not allow their citizens to be extradited, so if someone in such a country hac

          • by gl4ss ( 559668 )

            about 80% would extradite to the US though.
            unfortunately.

            or the company could pursue the local similar laws.

            in this case though very unlikely, because there's too many people to prosecute it's likely that nobody will be prosecuted.

            • When was the last time USA extradited someone in China for hacking? They just blame it on the Chinese government, say boohoo, no sanctions for you, because we need you more than you need us.

        • No.

          The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?"

          There is, and a person doesn't even have to be logged in to view those photos.

          There's nothing illegal about that. The photo at 21470800 has no accompanying narrative that even hints that a person should not be there.

          Most people on /. are familiar with the Computer Fraud and Abuse Act, 18 U.S.C. 1030 and it does not apply here.

          The a

          • The point of TFA is that a URL pointing to a photo ended with the number, "21470800," and the curious would naturally wonder, "Is there something before and after that number?" There is, and a person doesn't even have to be logged in to view those photos. There's nothing illegal about that.

            Well yes, it seems like a perfectly natural thing to do. And yet people have been arrested and gone to jail for it. Search the internet or read the other posts in this story if you want to free yourself from ignorance.

            Also, nice sig.

            • ... free yourself from ignorance ...

              I'm in the business, so I've already jumped that hurdle.

              • Oh? Have you found any cases where people were jailed for similar things as in this article?
                • "Similarity" is not a legal concept. The Computer Fraud and Abuse Act, 18 U.S.C. 1030 does not have a provision for similarities.

                  • Please tell me oh great one, what is the source of your wisdom? Did you get a certification or something?
                    • I went the "or something" route and digested the law and attended a seminar regarding same, just like most IT professionals have.

                      We can't manage and comply with what we don't understand, as obviated by your example.

                    • Oh, a seminar. What a credential!
                    • I did not get a PHD in the subject.

                      I apologize for my shortcomings.

                    • So anyway, if you do try to modify the URL to access unauthorized areas of the website, you are not only breaking the law, you are literally hacking. The security they use is lousy, but the fact that someone leaves their door open does not allow you to trespass.
                    • So anyway, they fixed it and anyway, here's your fail:

                      ... to access unauthorized areas ...

                      The link (before they fixed it) displayed only one thing: A photo.

                      There was no narrative either above, or below, and no narrative on either side of the photo.

                      Incrementing that number by one or decrementing by one (or multiples thereof) produced more photos but no narratives.

                      You're telling me I'm driving in a school zone but it's a secret.

                      Here's a truncation of the link above that DOES provide narrative:

                      http://upload.artisanstate.com/upload/ [artisanstate.com]

                      I modified a U

                    • What's your point, that the law is irrational?
                    • No, it's not the law that's irrational here.

                      That's why you failed to answer the question.

                    • That's why you failed to answer the question.

                      Hey genius, you forgot to ask a question.

                      Also, you really entertain me. You say people can't go to jail for this kind of thing, whereas people already have.

                    • I'm not going to jail and here's on you:

                      Show me where that's illegal.

        • To add to the discussion regarding 18 U.S.C. 1030, I will note that this website does not affirmatively note anywhere that these photos are to be considered private.

      • by Anonymous Coward
        The law being potentially broken: 18 U.S. Code 1030(a)(2)(c) - Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

        18 U.S. Code 1030(e) defines "protected computer" as "a computer which is used in or affecting interstate or foreign commerce or communication". This essentially means any computer connected to the Internet.

        Changing the URL to access information the user was not intended to have access
      • by SeaFox ( 739806 )

        Please cite the criminal code.

        It would just be lumped in under that nebulous "unauthorized access to computer systems" of 18 USC 1030 [wikipedia.org].

        • So, you're saying that law prohibits me from going to www.cnn.com/jdjdh##%^hndj, right?

          • by dbIII ( 701233 )
            If you piss someone off by doing it (eg. with the AT&T vunerability), sadly yes.
            Doing the right thing and informing people of their security holes also counts as pissing them off and has landed people in jail.

            If Kafka was writing today he's probably do a story on one of those insane trials.
            • Incrementing a parameter in a URL by one has nothing to do with AT&T. I'm on TWC and it worked. I'm on Verizon and it worked.

              The company hosting the photos can be pissed all they want. That doesn't matter. It's not illegal. The site is working inside the parameters and restrictions as applied by the company.

              The valid concern regarding a pissing contest is between the company and its customers.

              • by dbIII ( 701233 )

                Incrementing a parameter in a URL by one has nothing to do with AT&T

                One of the examples given by another poster was some poor bastard that went to jail for "hacking" AT&T by changing a URL and then contacting AT&T to tell them they had a problem.

  • The article asks:

    I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?

    The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.

    • by Meshach ( 578918 )

      The article asks:

      I was preparing a book for one of my clients and as I am uploading the photos, which are personal, the first thought was... should I really be uploading these photos to this website, we just met?

      The answer is no, of course you shouldn't trust any website. If you want it to remain private, leave it off the internet.

      I assume that whoever is speaking in the article has a job / contract to prepare these photos for clients who have requested that they upload the photos to the service. In that case leaving them off the Internet is not an option.

      • Obviously the photos aren't that private (the Asian girl), since I put them on Slashdot's front page. But the others ones (now seeing the lax security) it will be worth for me to invest in a good printer and print on my own.

  • by Midnight_Falcon ( 2432802 ) on Tuesday May 12, 2015 @05:58PM (#49677449)
    I've reported serious vulnerabilities to a number of companies in the past. Generally, they acknowledge receipt of the information but do nothing to fix the problem -- e.g. a race condition, a SQL injection vulnerability, etc etc. However, when I've posted information on reddit or other internet forums, the bugs tend to get fixed rather quickly.

    Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.

    Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.

    • There is only one reason to not do full disclosure......and that is if users are unable to defend themselves.

      For example, if you find a vulnerability in Squid, and an admin can defend against the vulnerability by disabling a particular extension, then you are leaving users defenseless by not disclosing it. It's irresponsible to keep it secret, because black-hats out there may already be exploiting it.
    • I've reported serious vulnerabilities to a number of companies in the past. Generally, they acknowledge receipt of the information but do nothing to fix the problem -- e.g. a race condition, a SQL injection vulnerability, etc etc. However, when I've posted information on reddit or other internet forums, the bugs tend to get fixed rather quickly.

      Full disclosure may well be a necessary evil -- sure, it allows anyone for some period of time to exploit the vulnerability; but it sure ends up getting fixed. Companies will wait months and years to fix security bugs if there is no clear and present danger.

      Any time I disclose a bug to a vendor, I now tell them in the e-mail they have five days to fix it; after that it will be publicly disclosed. And I always make good on the disclosure.

      I hope you make the contacts anonymously, because bad things tend to happen to whistle blowers. The "shoot the messenger" philosophy is alive and well in many companies and governments.

    • Thank you, this is the discussion I hoped would come out of this article. Fact is, people on Slashdot are definitely going to stumble onto this type of stuff over and over. I'm glad to run into other people to compare scruples with.

      Hackers (good word) have an instinct. If they run into an awesome API, the first thought is: how do I maximize this across all the limits and make something amazing? But with vulnerabilities, and unintended code paths, you need to step back and understand the consequences of what

  • by CaptainDork ( 3678879 ) on Tuesday May 12, 2015 @06:14PM (#49677543)

    ... plenty of lead time and followup.

    These issues need to be publicized when the hosting site doesn't give a fuck. Customers have a right to know.

  • You know there's pictures of penises in there, anyone can get to them. 'Nuff said, right? Wasn't chat roulette working on some penis detection code? Perhaps someone could hook that code up to an automated web robot to automatically ferret the dick pics out of this site.
    • by Lehk228 ( 705449 )
      yes write me a program that finds and lists dick pics.

      so that... i can..... remove them ... of course...
  • by Anonymous Coward

    If you see a car unlocked you tell the owner, but you don't tell everyone. If you see a flaw in the design of the door which means all of the cars will be unlocked you don't have any way to tell the owners without telling everyone.

  • by frovingslosh ( 582462 ) on Tuesday May 12, 2015 @06:45PM (#49677727)
    After being arrested, tortured and killed for trying to alert an on-line service to their vulnerability due to poor design, I no long try to contact vendors directly. I now publish the information in great detail to pirate sites, and I have found that this will get the attention of the company much better than trying to alert them quietly.
  • In an ideal world you'd notify the vendor, the problem would get fixed and the world would move on. Alas, we don't live in ideal world. Vendors fail to fix problems. Users don't upgrade software, or can't upgrade it or are unaware they're even using it, and the vendor doesn't publicly announce the fix and the need to apply it. The threat of disclosure, and the eventual disclosure even if the vendor doesn't say anything, is the only leverage we have to make sure vendors really do fix problems and users know

  • Looks like it has been fixed. Or at least you have to login to see anything.

  • https://www.schneier.com/essay... [schneier.com] Well worth the read if you haven't before.
  • First time a vulnerability was disclosed on Slashdot?

  • by Anonymous Coward

    import requests
    import random
    import os
    import sys
    import time

    sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)
    tmp_pth = 'C:\\temp'
    os.chdir(tmp_pth)
    headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "User-Agent": "Mozilla/"+str(round(random.random() * 5, 1))+" (Windows NT 6

Do molecular biologists wear designer genes?

Working...