Earlier today, we noticed it was possible for malicious users to abuse Imageshack by obtaining the IP Address of anyone who had uploaded an image to the site (considering they have 2+ million uploads a day, that's an awful lot of people to choose from). The first step would be to make a simple alteration to the file extension on a "direct link" URL for any Imageshack picture.
Once done, a file would be presented for download.
Upon opening up the file, you would be presented with the IP Address of the uploader:
This presents an obvious security risk, and could be used for everything from freaking people out on forums via the method of "magically" revealing someones IP address to more devious activities like building up a posting history of particular IP addresses, or simply trying to run exploits against the end-user in question. Of course, end-users might be caught out if they've been uploading images on company time, too (the snooper could match an IP to a company and go to them with an easily identifiable person in a photograph for example. It may sound a touch OTT, but never underestimate someones capacity to cause trouble over the silliest things).
We notified Imageshack at 7:59 PM GMT / 11:59 AM PT. Imageshack responded at 9:03 PM GMT / 1:03 PM PT, letting us know that the issue reported had been addressed and were confident that "this security gap no longer exists". After some testing, that appears to be the case. If you try the same technique now, you'll see this:
We don't know how long this has been in circulation for, but I'll stick my neck out and guess (hope!) that it's a recent thing. Kudos to Imageshack for acting so quickly - I can't remember the last time we found something that was patched at such speed, and full credit to them. The last time an issue like this existed was (I believe) back in 2006, which was also apparently fixed rapidly.
A shame it doesn't always happen like that...
Once done, a file would be presented for download.
Upon opening up the file, you would be presented with the IP Address of the uploader:
This presents an obvious security risk, and could be used for everything from freaking people out on forums via the method of "magically" revealing someones IP address to more devious activities like building up a posting history of particular IP addresses, or simply trying to run exploits against the end-user in question. Of course, end-users might be caught out if they've been uploading images on company time, too (the snooper could match an IP to a company and go to them with an easily identifiable person in a photograph for example. It may sound a touch OTT, but never underestimate someones capacity to cause trouble over the silliest things).
We notified Imageshack at 7:59 PM GMT / 11:59 AM PT. Imageshack responded at 9:03 PM GMT / 1:03 PM PT, letting us know that the issue reported had been addressed and were confident that "this security gap no longer exists". After some testing, that appears to be the case. If you try the same technique now, you'll see this:
We don't know how long this has been in circulation for, but I'll stick my neck out and guess (hope!) that it's a recent thing. Kudos to Imageshack for acting so quickly - I can't remember the last time we found something that was patched at such speed, and full credit to them. The last time an issue like this existed was (I believe) back in 2006, which was also apparently fixed rapidly.
A shame it doesn't always happen like that...
