iPhone App Flaw Leads to Massive Photo Sharing Privacy Breach

Michael Zhang

Quip is an iPhone application that provides simple “private” photo sharing without MMS. A flaw in the service was posted to Reddit a day ago by FlamingZebra90.

Here’s the deal. As stated in the title, QuipText is a service that lets iPhone users send picture messages to others over the internet. The service works by saving the image as a webpage on their server with its own unique URL and then texting the person in question the url. The only problem? They’re only using 5 alphanumeric, noncase-sensitive characters for the URL, meaning it can be brute forced in a few seconds.

So basically, the way in which photos are accessed is similar to services like TwitPic, with the difference being that users of Quip had the expectation of privacy for their photo sharing. Before long, tech-savvy folk had whipped up automatic scripts for harvesting these private photographs, and the story has erupted in the past day as thousands of private photographs have been released to the Internet.

Ish, a founder of Quip responded to the Reddit thread stating:

As soon as this post came to our attention, we immediately shut down our servers. We have also now disabled all S3 access and have started to systematically secure all files in the system. We will not bring the system back up until we have adequate security around all files shared over Quip.

I apologize to our users for this security breach and promise we will do everything in our power to make sure none of their information is exposed once we bring the service back up.

The vision for Quip has always been to provide users a quick, simple, and affordable way for iPhone users to send picture messages without paying exorbitant carrier fees. We are a small company (3 people) but we will work as quickly as possible to bring back the service up in a safe and secure manner.

The makers of Quip have since completely shut down the service in an attempt to protect whatever photos hadn’t been breached yet (if any). Furthermore, the app is no longer available from the iTunes store.

A takeaway for those in the photo-sharing business: if your users have an expectation of privacy, those photos had better be inaccessible to the general public.

Image credit: Iphone sunset in the Andes by Gonzalo Baeza Hernández

, ,
, , , , , , ,
Related Articles
iOS and Android Give Apps Access to Your Photos Without Permission
Hacker Discovers Apple Cameras Can Be ‘Hijacked,’ Earns $75K Bug Bounty
Apple Releases Software Update After Major Security Flaw is Exposed
Path Launches iPhone Photo Sharing for People You Actually Know
Discussion