Wednesday, March 5, 2008

Stealing Pictures From Locked Sites Online

Think twice before Uploading your pictures and sharing them...

This is must-watch video from FOX channel. It is about “hacking into photo sites”, and “stealing” potentially embarrassing images to post up elsewhere which is called "fuskering".



According to Mike Andrews, “Fuskering” basically is…

  • pulls a number of images/pages/etc within a range “expanding” request based off a pre-identified “pattern”. E.g. “www.example.com/image[1-3].jpg” becomes www.example.com/image1.gif, www.example.com/image2.gif, www.example.com/image3.jpg

  • It generally relies on someone “finding” an image first, then “fuskering” for others that might be from the same user, like using known sequence numbers from digital camera images (eg. DSC12345.jpg - once you find one, other images are in that sequence either ascending or descending in time) as a good starting point.

  • There are a number of tools out there that do this automatically. I’m not going to link to them, but any Google-fu and you should be able to find them. Personally, Perl and a shell script would have done it for me.

  • Sites are mostly “vulnerable” because they use the security by obscurity pattern - if an image link is “known” by a user (either because they have been sent it, or because they have permission to see the link and therefore the site displays it to them), then the image is viewable. If someone has the time/resources to perform random requests, or crawl for one “interesting” image and then fusker for others, it’s quite likely that other image links could be discovered and then requested.

  • The lack of an authorization check on displaying the image itself (rather than on the display of the link) is often one of the security trade-offs that a site might decide to make - displaying links to only the “allowed” images as a page is being created isn’t much of a performance trade off - the site has to dynamically generate the page anyway somehow (on demand, or pre-processed). However, performing a secondary authorization check during the request for an actual image (whether it’s to the .jpg, .gif, etc, directly or via a “proxy” script) may be too much of a performance hit if lots of users are accessing the site pulling images.

It is highly recommended that think twice before uploading any sort of photos on online sharing websites. For e.g. Flickr, Photobucket, TinyPics, etc....

No comments: