Quip:The #Fail of The Year (So far)
Posted under: Privacy is a big issue these days and a lot is being discussed, at the highest level, about the subject. As technology becomes more ubiquitous the more invasive it gets and we all should be careful in how we use it.
The fact that technology is no longer just for geeks *sigh* and everyone uses it, without needing to know how it actually works, has brought new habits in how we communicate. One example: If you want to send a picture from your mobile phone to another one, or upload it to Facebook you just press a button on your terminal et voilá, it’s done. In between there are data packets flying around connecting to servers, decoding the packets but the truth is no one really cares how it happens. The service is there, there is an app for that and you just do it.
Addy Mobile is (was?) a small company that had, what it seemed to be, a great service called Quip: Instead of paying the very high rates that carriers charge for sending MMS (and in the US the troublesome process of knowing the MMS’s codes for all the providers), you could use Quilp, that would make the picture available on their server and would send a text message with a unique URL to one of your friends or to Facebook. The app was received, when it was launched, with great praise and a reviewer described it as “Sitting as the hottest item in social networking apps, Addy Mobile features free unlimited messaging that doesn’t count against your text messaging plan. If you’re searching for an easier, cheaper way to send your iPhone camera pics, I definitely recommend Addy Mobile by Quipp.” The reviewer got the name of the product and the name of the company sideways but you get the picture.
This was in September, 2009. In November 2009, a post showed up on digg from a user that had discovered that if you changed, randomly, the last 5 digits of the URL that Quip sent out to you, you would see another picture from another user, that was not meant for you to see. As the user noted on his post there were only 60,466,176 possibilities and he was going to try some of them. You would expect that Addy Mobile would be monitoring social media networks, to know what was being said about their app, and that they would immediately implement some kind of security, right? Wrong. Addy Mobile did nothing and in the meanwhile thousands of users were uploading their pictures, without knowing that they were also sharing them with the whole world: pictures of a pet’s latest trick, sms snapshots, credit card details and the most intimate moments with a significant other (but mostly with oneself) Quilp was THE final destination for millions of users that trusted the application to spare them some money and some technical hassles. Little did they know that Quilp’s website was also the final destination for thousands of internet users that were watching and downloading pictures that were not meant to be made public.
Enter Anonymous
Two days ago, huge threads started to show up on 4Chan with content that was being downloaded from Quip. A group of users had exploited the lack of security on Quilp’s servers and had written a very simple script that was allowing to automatically randomize those last 5 digits. The responsible for the company, that goes by the name of Ish, finally reacted when he saw a post on reddit and took action, by shutting down Quip’s servers but it was already too late: Millions of (private) photos, some of them including private data, are now fully available on the internet.
Lessons to be learned
One would expect that a company that is charging €0.99 for an application that deals with private data would take security seriously. One would also expect that Apple, that as an infamous track record when it comes to approve applications, would have checked this application thoroughly before it was made available on the App store. The fact that millions of photos were sent via Quip, either to cell phones and/or Facebook and, on a first version, actually included the name of the sender, should have been important enough to act with care. The fact that Addy Mobile decided to ignore, or didn’t monitor, the alert posted on digg is something that has, in my opinion, no explanation. Remember that this was not a security flaw since there was no security implemented. The biggest mistake any company can make is to disregard user’s privacy and to think that no one will find out about it. I find it hard to believe that the people behind Addy Mobile didn’t know that their system was lacking any security system and that any 10 year old could exploit it (just by deleting a number or character and inserting another). The consequences of this irresponsibility are yet to be known but Quip’s users should be worried unless what you send was just that lovely rose bouquet you got.
But the lessons to be learned don’t stop here: There is a lesson to be learned by the users as well: Don’t post anything on a third party website that you might regret in the future. Remember e-mail? Use it! Really, it is better than to have your latest adventures with yourself all over the internet.
Will this be the end of Addy Mobile? Like one user wrote, after Quip’s Ish answered to the thread on reddit: “Saturday: No one knows about your company. Sunday: Anon Finds your company and everyone knows about your company. Monday: You have no company.”
Picture Credit: bcymet under a CC License