From: David Peterson (SAL-AU)
Sent: Wednesday, March 31, 2010 12:16:33 AM
Subject: Newsbank: Quip app security hole shares private photos (iPhone)
Auto forwarded by a Rule
Quip app security hole shares private photos
- By Andrew Ramadge, Technology Reporter
- From: news.com.au
- March 30, 2010
- iPhone app had serious security hole
- Thousands of intimate photos leaked
THOUSANDS of intimate photos sent between iPhone users have been made public after an embarrassing security flaw.
The Quip app promised to let people send pictures to each other for free — like sending a multimedia message but without any fees.
What it didn't say was that anyone with a few web skills could see them as well.
Quip stored the private images on a publicly accessible web server without any encryption, making them easy prey for savvy internet users.
Now some of the most intimate moments of thousands of people are being circulated on web forums.
Many photos show people posing nude or having sex. Others show a day at the baseball or baby shots.
One image shows a man naked from the waist up and seemingly covered in cuts and blood. Another seems to have been taken inside the White House.
Some internet users have also allegedly matched up nude photos with real names and Facebook profiles.
On one web forum, a user identifying as one of the makers of the Quip app said the system had been shut down.
"Hello, this is Ish, the founder of Addy Mobile, makers of the Quip app," said "ish_addy" on Reddit.
"As soon as this post came to our attention, we immediately shut down our servers. We have also now disabled all S3 access and have started to systematically secure all files in the system.
"We will not bring the system back up until we have adequate security around all files shared over Quip."
However many of the photos, saved by people before the servers were shut down, are still being circulated.
[additional note from DP]: fortunately for those who had their photos leaked, the quip app seems to resize the photos and strip the original exif data from them. It would be one thing to have embarrassing personal photos leaked. And quite another again to have such photos tagged with the owners GPS co-ordinates – since Google Maps will quite helpfully perform a reverse lookup to the precise street address.
| || |