Hard at work

Unethical and possibly illegal

What follows is a sad little tale of a geek who was irked by the bad security on a Web site. The information details unethical activity on my part and I suppose my behavior could be construed as theft. Therefore, I am not releasing the name of the site, I will not share the photos in question and I have altered details to obscure who they are. And no, you can't have the software I wrote.

So I get an email this morning:

Subject:   Photoshopped or not?
From:	   "XXXX" <xxxx@hotmail.com> 
To:	   "Ovid" 
Date:	   Sat, 22 Jan 2005 04:37:03 -0800

Hey Curtis, Shouldn't this collapse? Is it real? http://somesite/gallery/architecture/building.html

This is from a friend and it's sent to a relatively spam-free email, so I click the link.

Sorry. This image is only for premium subscribers.

Well, that's fair. Ripping off site content isn't cool so I can understand why he didn't just send me the image. On the other hand, sending me to a link that I can't use is annoying.

So I check the site out and their premium service is, naturally, something I have to pay for. However, they have both free galleries and thumbnail teasers of their premium content. Unfortunately, I can't even get to the free galleries without signing up for their free membership. I use a throwaway email account that I use for purposes such as this and I sign up for their free service. Their free content is nice; they obviously have great photographers. Since they are a large and well-known site, that makes sense. However, I started to notice how consistently everything was put together. Hmmm ...

Right click. View source. See how the URL is generated in Javascript pop-ups. Looks pretty consistent. Play around with the URL my friend sent.

Bingo! I'm now looking at their premium content. This, of course, is what you get when you hire programmers or sysadmins who don't pay enough attention to security. They had a trivial lock on the premium page with the thumbnails, apparently under the assumption that people wouldn't figure out they can enter URLs directly. This is called security by obscurity. It's equivalent to saying "closing my front door will keep out burglars because they won't know the door is unlocked." Stupid, stupid, stupid. I harp on this quite a bit when I'm teaching someone Perl, so this gets under my skin.

Going back to the photo: sure enough, it's a strange photo and I understand why my friend sent it. However, I'm now curious about the other photos. They have braindead security. I don't want to keep right clicking, viewing source and munging URLs. That's why I use Perl.

A few minutes later (yeah, I said minutes. Try that you Java weenies :), I had a script that effectively did this:

login to Web site

for each gallery on site
    for each photoshoot in gallery
        for each photo in photoshoot
            copy image to my hard drive

laugh maniacally like the geek I am

OK, so it was me laughing and not the program, but you get the idea.

I was mirroring their directory structure and I noticed that they have hundreds of photo shoots. Most shoots are rather small but it still seemed odd that I only had a couple of hundred photographs. However, quite a few of the directories were empty. A bit of research revealed what was going on. As a very primitive attempt to break Web spiders, they were switching the case in their URLs. Poorly programmed spiders will try to find "photographs" and miss the "Photographs" and "photoGraphs." Mine was a poorly programmed spider so I had to change my code to be case-insensitive and to not download something I already had. This took about 2 seconds.

So now I have about 1,700 images on my hard-drive. Theoretically I should have paid for them but because the site had stupid security, it was trivial to snag them.

But some directories were still empty. What the hell? I went to one of the "empty" photo shoots on their site and sure enough, there were photos there. As it turns out, they had munged these photo names and let their Javascript (?!) alter the photo names back to their original form.

Their is a term for programmers who do things like this:


Because my browser has to load the Javascript, I, too, can see the Javascript. Once I saw what they were doing, I changed my code to "retry" certain images if they met the form encountered in the Javascript.

I now have 5,389 photos on my hard drive. As it turns out, I was only fetching photos from one category. They have 10 categories.

I don't expect most people to understand software security. But for such a large, well-known site that charges money and obviously thought about security, this is pathetic. I don't expect you to know anything about software security, but I do expect you to know something about it if you're trying to implement it.

  • Current Mood: amused amused
  • Current Music: Shriekback | Shark Walk
That, my friend, is awesome. Yes, technically, you stole from them, but maybe in a way you're helping them to realize they have poopy security.


Are they cool photos?
Bah, don't listen to him/her. It's not really theft. It's only theft according to the law.

It is, however, kind of an invasion of privacy.
A few minutes later (yeah, I said minutes. Try that you Java weenies :)

C, you are so damned cute sometimes.


I'd say that you should tell them about this flaw, but I wouldn't want you to wind up like Randal Schwartz.

This is one of the reasons I ♥ Perl. So expressive with so little effort. I've got Perlbots that give me intersection or union sets of friends lists/members lists on LJ that took probably two minutes to write each (just because I didn't want to cross-post too offensively, haha).

Still, good catch. High-larious.
Re: Haha.
(Hmm ... let's repost this without the horrible formatting screwup)

What a coincidence :)

Well, theoretically they could find me through their logs, but I doubt they'll try that hard. Still, Oregon's computer crime laws are so idiotic I can't believe they haven't been tossed out. Right now, the law is worded so poorly that if I tell you to never call me again and you leave me a voice mail letting me know you found my wallet or something, you've committed a felony computer crime.
Re: Haha.
Ha, funny. Your code is more elegant than mine, I'm a great believer in the principle of Laziness. ;) I just use LWP::Simple and run some regexy magick to get the data quick and dirty, and of course it's therefore highly sensitive to even the most minor of formatting changes to userinfo.bml's output. Heh.

Man, I still get so angry when I think about that Intel case. Oregon's computer laws really are just bizarre, I agree.
Re: Haha.
*You* get angry at it? How do you think it makes *me* feel?

Just another guy who heard his ears burning...
Re: Haha.
Oh, hello Mr. Schwartz! Didn't know you frequented these here parts.

In answer to your query, I'm going to hazard a guess that it probably makes you feel considerably angrier than I am able to get over it. ;)
I'm pretty impressed. That's pretty funny. Security through obscurity is one of the things that makes me sad about my job. It's how we do just about everything, because my boss thinks our routers are invulnerable. It's very, very sad stuff. I don't have the weight there to toss around and get it fixed, either. Yay for legacy systems.
this is why none of the stuff i really like ever sees the intenet