A campaign where you can upload your pictures is making a small version of them publicly available at a "impossible to guess" URL. It was possible to systematically retrieve all the images.
Published: | Mon, September 18, 2017, 07:25 |
Category: |
Security
|
Tags: |
Security Monday
Information leak
UUID
Images
OWASP 2013 A4
|
A campaign web site from Norway's leading supplier of branded goods, where one could upload images - typically of your kid, and typically including their first name and year of birth - was, and still is, making a small 90 x 90 pixels image publicly available. It was possible to systematically retrieve the data.
Who: | Orkla Food's campaign by Japan Photo |
Severity level: | Low |
Reported: | August 2017 |
Reception and handling: | Good |
Status: | Partially fixed |
Reward: | A thank you |
Issue: | A small version of the uploaded picture and often the given name and year of birth of the person in the picture is available publicly available |
Stabburet Leverpostei is a kind of liver pรขtรฉ that has been part of the diet for many Norwegians for generations. They have had a pretty iconic can with a picture of a kid on the front. At first they had the same kid from 1955 to 1970, but in more recent times they have been using the front as more of a marketing opportunity with competitions, campaigns and more a frequent change and use of several different faces.
In August 2017 I saw a TV commercial telling that if you bought 3 cans of Stabburet Leverpostei you could upload your own picture and receive your own cover that you can use at home.
Of course this made me wonder if the images were securly stored.
I went through the wizard for uploading images, getting the lid and buying other products at the same time as having Chrome DevTools open. I looked for anything out of the ordinary and of course tried out different URLs with different IDs and input.
What I saw was that every image uploaded got a UUID which was used when refering to the image in the different web pages.
They also had this share function where you share the lid that you had created to different social media. What this did was just refer to this UUID at some URL.
The sensible thing would be to make the image publicly available at some URL the moment the customer chose to share the image. As long as it is public, one should expect the image to be accessible to anyone knowing or guessing the URL.
The first problem was - and still is - that all images - shared or not - are publicly available if you just know the URL. For me this looks like quite a trend. Developers often assume that because a URL is hard to guess it should be considered private. This spring we had some media coverage in Norway on how a change in the browser Microsoft Edge made Bing index a lot of URLs like these (Norwegian text). Yes, the URLs might be hard to guess, but the problem is that the URL will always be valid, it will always be public, and you don't know who's accessing it.
Going through the checkout process I noticed that the URL for the final receipt - http://www.stabburetleverpostei.no/takk-for-din-lokkbestilling/ - included the mentioned UUID. And, what's more, the URL redirecting to that URL had the format http://kampanje.stabburetleverpostei.no/checkout/finished/<some auto incremental ID>. Iterating the ID made it possible to collect the UUIDs from seemingly all the orders (I only tried a few).
E.g., going to
http://kampanje.stabburetleverpostei.no/checkout/finished/2095270
would redirect to
/takk-for-din-lokkbestilling/?lokkid=0498600376a123f1530f1fed7083b350
which meant that the image could be seen at
/bestill/streamthumb/0498600376a123f1530f1fed7083b350.
I found two issues in the campaign web site. One is now fixed, but the other persists:
The fact that all images are publicly available is not mentioned in the terms of this campaign.
At night I sent an e-mail to the contact address (for Eurofoto (owned by Japan Photo)) telling them about by my findings.
Just before midnight I received an e-mail telling me that they have stopped adding the image UUID to the URL of the "thank you" page. That's a very impressive response time. It does, however, seem like all images still are publicly available.
On one hand one could blow this up really big; a lot of pictures of kids with what's probably often their real given name and their year of birth. But, let's be real; in this case we are talking about small images; about 90 x 90 pixels are of the person itself (and then the rest is the rest of the can with the name, year and stuff).
Now, this is speculation, but I wouldn't be surprised if the full size images are available on some other public URL. However, I did not find that. And looking at the image data being uploaded we're looking at a image size (of the person) as small as about 220 x 220 pixels. That is still a pretty low resolution.
Also, there is no connection between the images and data like full name or location.
You - as a consumer - should always assume that whatever kind of images or information that you are uploading or sending to some third party can end up in either the wrong hands or be publicly available.
All you developers: Please don't think that UUIDs makes data private. You still need authentication and authorization; and you still need to check that it's actually working.
If companies choose to store images like in this case, they should indeed mention that in the terms of the site. That is not the case here. I also wish they would mention for how long they are storing the images.