In association with heise online

21 July 2008, 13:59

Security vulnerability in O2 UK's MMS system

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The O2 UK web application for viewing MMS messages apparently failed to use secure authentication. Mobile phones without MMS support, which includes iPhone users, display a URL so the messages could be viewed via a web application. Unfortunately this was unsecured, so these images could be indexed by search engines. Once indexed these private communications could be revealed by a simple Google search and viewed by anyone. Some customers have expressed shock at the mobile network operator's negligent attitude. A young mother, for example, discovered a photo of her two-year-old daughter which she had sent by MMS.

Some O2 staff at least were clearly already aware of the problem – entries on O2's public internet forum describing this ignominious state of affairs have inexplicably vanished with no initial response from O2. An O2 spokesperson did eventually comment, saying "We have temporarily taken down our MMS web-based viewing service while we investigate this issue fully. This has no impact on the service for customers with MMS-enabled handsets".

While it is now no longer possible to find MMS messages on O2 UK by searching on Google, some may still be found in the Google cache.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit