When Private Photos Don't Stay Private for Long
It has always been a challenge to securely share photos, videos and messages on the internet.
Few applications offer a ‘trust no one’ mode where the shared content benefits from end-to-end encryption, making it nearly impossible to snoop on.
In privacy wars, Apple has a proven track record of providing a much more secure environment than Android. This was confirmed earlier this week when an Android SMS messaging application publicly exposed the media shared by its user base of over 100 million users.
“Private files sent by users to contacts who don’t have [the application] installed can be accessed from the app’s servers via a shortened URL. […] The shortened URLs sent to contacts without the app were sequentially generated […] that made it very easy to go through all these privately shared files, even without knowing the full list of shared URLs.”
This is not the first time developers let users upload content to their servers, and sequentially number the documents. This makes it trivial for malicious actors to guess the URL and download the content. In 2019, Brian Krebs reported that a large American financial institution had leaked hundreds of millions of records following an identical security issue.
The risks of outsourcing to a cloud service provider
The main issue in this news story is that users are rarely, if ever, able to control what happens to their data once they share it with a cloud service provider. Providers may have privacy and security policies, but these are not always enforced. This is especially true in competitive industries such as messaging applications where developers must always offer new features to keep their users happy.
Fast development cycles lead to programming mistakes, and easy solutions rather than secure ones. In the case of the Android messaging application, a solution would have been to create a unique random identifier for each file before sharing the link to the message recipient. However, it takes more time to code a random algorithm than increasing the value of a counter by 1.
Your employees should be aware that all content shared online, even on supposedly private platforms, could eventually become public. Among the media shared, journalists and malicious actors have found personal and private information, identity cards and images of people with illicit drugs and guns. This leaked data could easily be used to commit identity and financial fraud.
No hope for remediation
While the cat has been out of the bag for a number of days now, the developers of the Android application have yet to take the step of removing the leaked data from their servers. The security researchers contacted them in August but they never replied on the matter. There is no logical reason for developers not to remove this content, especially if it was shared days or weeks ago. How many times do message recipients fetch an image from their messages that was sent weeks or months ago?
This lack of response demonstrates the need to wisely select which applications to choose when sharing information online. Google itself has been able to provide patches for its browser in a matter of hours or days. This should encourage users to trust its products, since any vulnerability or security issue is likely to be fixed quickly, reducing the attack surface. As the past is often a guarantee of the future, you should always research how a company handled past security issues. While no company can prevent all problems, those that react quickly – and openly – should be preferred over those that do not take down private content when notified. This habit could protect your company and its brand image in the long term.