Here’s the deal. As stated in the title, QuipText is a service that lets iPhone users send picture messages to others over the internet. The service works by saving the image as a webpage on their server with its own unique URL and then texting the person in question the url. The only problem? They’re only using 5 alphanumeric, noncase-sensitive characters for the URL, meaning it can be brute forced in a few seconds.
So basically, the way in which photos are accessed is similar to services like TwitPic, with the difference being that users of Quip had the expectation of privacy for their photo sharing. Before long, tech-savvy folk had whipped up automatic scripts for harvesting these private photographs, and the story has erupted in the past day as thousands of private photographs have been released to the Internet.
Ish, a founder of Quip responded to the Reddit thread stating:
As soon as this post came to our attention, we immediately shut down our servers. We have also now disabled all S3 access and have started to systematically secure all files in the system. We will not bring the system back up until we have adequate security around all files shared over Quip.
I apologize to our users for this security breach and promise we will do everything in our power to make sure none of their information is exposed once we bring the service back up.
The vision for Quip has always been to provide users a quick, simple, and affordable way for iPhone users to send picture messages without paying exorbitant carrier fees. We are a small company (3 people) but we will work as quickly as possible to bring back the service up in a safe and secure manner.
The makers of Quip have since completely shut down the service in an attempt to protect whatever photos hadn’t been breached yet (if any). Furthermore, the app is no longer available from the iTunes store.
A takeaway for those in the photo-sharing business: if your users have an expectation of privacy, those photos had better be inaccessible to the general public.