Ovid (publius_ovidius) wrote,

  • Mood:
  • Music:

Unethical and possibly illegal

What follows is a sad little tale of a geek who was irked by the bad security on a Web site. The information details unethical activity on my part and I suppose my behavior could be construed as theft. Therefore, I am not releasing the name of the site, I will not share the photos in question and I have altered details to obscure who they are. And no, you can't have the software I wrote.

So I get an email this morning:

Subject:   Photoshopped or not?
From:	   "XXXX" <xxxx@hotmail.com> 
To:	   "Ovid" 
Date:	   Sat, 22 Jan 2005 04:37:03 -0800

Hey Curtis, Shouldn't this collapse? Is it real? http://somesite/gallery/architecture/building.html

This is from a friend and it's sent to a relatively spam-free email, so I click the link.

Sorry. This image is only for premium subscribers.

Well, that's fair. Ripping off site content isn't cool so I can understand why he didn't just send me the image. On the other hand, sending me to a link that I can't use is annoying.

So I check the site out and their premium service is, naturally, something I have to pay for. However, they have both free galleries and thumbnail teasers of their premium content. Unfortunately, I can't even get to the free galleries without signing up for their free membership. I use a throwaway email account that I use for purposes such as this and I sign up for their free service. Their free content is nice; they obviously have great photographers. Since they are a large and well-known site, that makes sense. However, I started to notice how consistently everything was put together. Hmmm ...

Right click. View source. See how the URL is generated in Javascript pop-ups. Looks pretty consistent. Play around with the URL my friend sent.

Bingo! I'm now looking at their premium content. This, of course, is what you get when you hire programmers or sysadmins who don't pay enough attention to security. They had a trivial lock on the premium page with the thumbnails, apparently under the assumption that people wouldn't figure out they can enter URLs directly. This is called security by obscurity. It's equivalent to saying "closing my front door will keep out burglars because they won't know the door is unlocked." Stupid, stupid, stupid. I harp on this quite a bit when I'm teaching someone Perl, so this gets under my skin.

Going back to the photo: sure enough, it's a strange photo and I understand why my friend sent it. However, I'm now curious about the other photos. They have braindead security. I don't want to keep right clicking, viewing source and munging URLs. That's why I use Perl.

A few minutes later (yeah, I said minutes. Try that you Java weenies :), I had a script that effectively did this:

login to Web site

for each gallery on site
    for each photoshoot in gallery
        for each photo in photoshoot
            copy image to my hard drive

laugh maniacally like the geek I am

OK, so it was me laughing and not the program, but you get the idea.

I was mirroring their directory structure and I noticed that they have hundreds of photo shoots. Most shoots are rather small but it still seemed odd that I only had a couple of hundred photographs. However, quite a few of the directories were empty. A bit of research revealed what was going on. As a very primitive attempt to break Web spiders, they were switching the case in their URLs. Poorly programmed spiders will try to find "photographs" and miss the "Photographs" and "photoGraphs." Mine was a poorly programmed spider so I had to change my code to be case-insensitive and to not download something I already had. This took about 2 seconds.

So now I have about 1,700 images on my hard-drive. Theoretically I should have paid for them but because the site had stupid security, it was trivial to snag them.

But some directories were still empty. What the hell? I went to one of the "empty" photo shoots on their site and sure enough, there were photos there. As it turns out, they had munged these photo names and let their Javascript (?!) alter the photo names back to their original form.

Their is a term for programmers who do things like this:


Because my browser has to load the Javascript, I, too, can see the Javascript. Once I saw what they were doing, I changed my code to "retry" certain images if they met the form encountered in the Javascript.

I now have 5,389 photos on my hard drive. As it turns out, I was only fetching photos from one category. They have 10 categories.

I don't expect most people to understand software security. But for such a large, well-known site that charges money and obviously thought about security, this is pathetic. I don't expect you to know anything about software security, but I do expect you to know something about it if you're trying to implement it.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded