Imageshack Security Issue Reported, Fixed

| | Comments (3)
Earlier today, we noticed it was possible for malicious users to abuse Imageshack by obtaining the IP Address of anyone who had uploaded an image to the site (considering they have 2+ million uploads a day, that's an awful lot of people to choose from). The first step would be to make a simple alteration to the file extension on a "direct link" URL for any Imageshack picture.

Once done, a file would be presented for download.


Upon opening up the file, you would be presented with the IP Address of the uploader:


This presents an obvious security risk, and could be used for everything from freaking people out on forums via the method of "magically" revealing someones IP address to more devious activities like building up a posting history of particular IP addresses, or simply trying to run exploits against the end-user in question. Of course, end-users might be caught out if they've been uploading images on company time, too (the snooper could match an IP to a company and go to them with an easily identifiable person in a photograph for example. It may sound a touch OTT, but never underestimate someones capacity to cause trouble over the silliest things).

We notified Imageshack at 7:59 PM GMT / 11:59 AM PT. Imageshack responded at 9:03 PM GMT / 1:03 PM PT, letting us know that the issue reported had been addressed and were confident that "this security gap no longer exists". After some testing, that appears to be the case. If you try the same technique now, you'll see this:


We don't know how long this has been in circulation for, but I'll stick my neck out and guess (hope!) that it's a recent thing. Kudos to Imageshack for acting so quickly - I can't remember the last time we found something that was patched at such speed, and full credit to them. The last time an issue like this existed was (I believe) back in 2006, which was also apparently fixed rapidly.

A shame it doesn't always happen like that...


Is this really fixed though? I noticed that someone blotted out part of the screenshot images (in red) that wasn't blotted a few days ago. Is there a reason for this?

"Is this really fixed though?"

It is indeed :)

I ended up with two versions of the blog entry (one obscured and one with full details included) and published the one with the info in the text and the screenshots by accident.

When I realised the wrong one was live I switched it back around because although unlikely, it theoretically *could* work on some other random image website somewhere, but we've tried the same technique on everything from Flickr to Photobucket with a bunch of others inbetween and nothing happened. However, I usually obscure info like that just to be on the safe side as there's no realistic way to hunt down and test out every image website available.

But just to reconfirm - since Imageshack applied the fix, this does not appear to work at all. As far as we're aware, it doesn't work anywhere else either.

I've seen this on a few hacking sites over the weekend. Definitely isn't working anymore because of the amount of script-kiddie wannabes now crying about it.

In fact there's a thread about this right now on one of the "Anon" hangouts with lots of wannabes going BAAAAAAW because they can't get it to work.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on September 26, 2008 10:21 PM.

Chinese malware attacks WoW community was the previous entry in this blog.

XBox Live "Microsoft Point Generator" Scam is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.