O2 Leaks “Private” MMS Photos

Score one for lax security. UK Mobile Operator O2 allows its customers to send Multimedia Messaging Service (MMS) photos to email recipients by way of a web interface, as Slashdot reports. No big deal—that’s actually a useful feature.

So what’s the problem? The post said that the URLs published by the MMS-to-email application are not authenticated. “That means a simple Google search reveals hundreds, if not thousands, of private photos.”

As InformationWeek also reports, O2 was basically relying on the ostrich syndrome as their entire security strategy—if you don’t see it, it’s not there. “O2’s security for this scenario is security through obscurity: It makes pictures sent via MMS viewable on non-MMS devices by posting them online with a URL that’s difficult to guess.”

In other words, it lets customers send MMS photos from their phones, and it lets intended recipients view them even if they weren’t using an MMS-capable phone. But the photos themselves are available for googling—and are not actually private, despite what all the people taking them and sending them may think.