Case #6: Who's looking at your pictures?

A campaign where you can upload your pictures is making a small version of them publicly available at a "impossible to guess" URL. It was possible to systematically retrieve all the images.

Published: Mon, September 18, 2017, 07:25
Category:
Security
Tags:
Security Monday
Information leak
UUID
Images
OWASP 2013 A4

tl;dr ๐Ÿ”—

A campaign web site from Norway's leading supplier of branded goods, where one could upload images - typically of your kid, and typically including their first name and year of birth - was, and still is, making a small 90 x 90 pixels image publicly available. It was possible to systematically retrieve the data.

Summary ๐Ÿ”—

Who: Orkla Food's campaign by Japan Photo
Severity level: Low
Reported: August 2017
Reception and handling: Good
Status: Partially fixed
Reward: A thank you
Issue: A small version of the uploaded picture and often the given name and year of birth of the person in the picture is available publicly available

Background ๐Ÿ”—

Stabburet Leverpostei is a kind of liver pรขtรฉ that has been part of the diet for many Norwegians for generations. They have had a pretty iconic can with a picture of a kid on the front. At first they had the same kid from 1955 to 1970, but in more recent times they have been using the front as more of a marketing opportunity with competitions, campaigns and more a frequent change and use of several different faces.

In August 2017 I saw a TV commercial telling that if you bought 3 cans of Stabburet Leverpostei you could upload your own picture and receive your own cover that you can use at home.

Of course this made me wonder if the images were securly stored.

Approach (technical stuff) ๐Ÿ”—

I went through the wizard for uploading images, getting the lid and buying other products at the same time as having Chrome DevTools open. I looked for anything out of the ordinary and of course tried out different URLs with different IDs and input.

What I saw was that every image uploaded got a UUID which was used when refering to the image in the different web pages.

They also had this share function where you share the lid that you had created to different social media. What this did was just refer to this UUID at some URL.

The sensible thing would be to make the image publicly available at some URL the moment the customer chose to share the image. As long as it is public, one should expect the image to be accessible to anyone knowing or guessing the URL.

The first problem was - and still is - that all images - shared or not - are publicly available if you just know the URL. For me this looks like quite a trend. Developers often assume that because a URL is hard to guess it should be considered private. This spring we had some media coverage in Norway on how a change in the browser Microsoft Edge made Bing index a lot of URLs like these (Norwegian text). Yes, the URLs might be hard to guess, but the problem is that the URL will always be valid, it will always be public, and you don't know who's accessing it.

Going through the checkout process I noticed that the URL for the final receipt - http://www.stabburetleverpostei.no/takk-for-din-lokkbestilling/ - included the mentioned UUID. And, what's more, the URL redirecting to that URL had the format http://kampanje.stabburetleverpostei.no/checkout/finished/<some auto incremental ID>. Iterating the ID made it possible to collect the UUIDs from seemingly all the orders (I only tried a few).

E.g., going to
http://kampanje.stabburetleverpostei.no/checkout/finished/2095270
would redirect to
/takk-for-din-lokkbestilling/?lokkid=0498600376a123f1530f1fed7083b350
which meant that the image could be seen at
/bestill/streamthumb/0498600376a123f1530f1fed7083b350.

Security issues ๐Ÿ”—

I found two issues in the campaign web site. One is now fixed, but the other persists:

  • Fixed: One could iterate through the completed orders and get the URL of all images
  • Not fixed: Seemingly all images from the orders - even the ones not completed - are public (often including given name and year of birth)

The fact that all images are publicly available is not mentioned in the terms of this campaign.

Reception and handling ๐Ÿ”—

Day zero ๐Ÿ”—

At night I sent an e-mail to the contact address (for Eurofoto (owned by Japan Photo)) telling them about by my findings.

Day 1 ๐Ÿ”—

Just before midnight I received an e-mail telling me that they have stopped adding the image UUID to the URL of the "thank you" page. That's a very impressive response time. It does, however, seem like all images still are publicly available.

Why the low severity level? ๐Ÿ”—

On one hand one could blow this up really big; a lot of pictures of kids with what's probably often their real given name and their year of birth. But, let's be real; in this case we are talking about small images; about 90 x 90 pixels are of the person itself (and then the rest is the rest of the can with the name, year and stuff).

Now, this is speculation, but I wouldn't be surprised if the full size images are available on some other public URL. However, I did not find that. And looking at the image data being uploaded we're looking at a image size (of the person) as small as about 220 x 220 pixels. That is still a pretty low resolution.

Also, there is no connection between the images and data like full name or location.

Conclusion ๐Ÿ”—

You - as a consumer - should always assume that whatever kind of images or information that you are uploading or sending to some third party can end up in either the wrong hands or be publicly available.

All you developers: Please don't think that UUIDs makes data private. You still need authentication and authorization; and you still need to check that it's actually working.

If companies choose to store images like in this case, they should indeed mention that in the terms of the site. That is not the case here. I also wish they would mention for how long they are storing the images.

Get notified when there are new posts! :-)