Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Stop printing your personal photos via online websites

0
0

There are plenty of online shops which offer to print your photos, visiting cards and t-shirts. But do they protect the photos or personal information you share with them? We will find out.

We discovered a security vulnerability in Inkmonk.com (India’s first print marketplace) which leaks all the photos you have uploaded, via a simple API:


Stop printing your personal photos via online websites
Vulnerable API

The ids used in the above API is serially iterable and the response looks like this:


Stop printing your personal photos via online websites
API response

And if you click on one of the URLs in the above response, you will see the pictures uploaded by the users of the website. They do not require any kind of authentication at all. Some examples below:


Stop printing your personal photos via online websites

This security bug was reported to the InkMonk on 19th November, 2017. They acknowledged the existence of the issue and promised a fix in coming days. They even sent goodies for finding the issue.

I contacted them again after a month saying that it is still vulnerable but got no response. Even after a year and a month being passed as of writing this (19th December, 2018) and it is still not fixed.

Sadly, security vulnerabilities take back seat amongst other aspects of running a company.

Key Takeaway

For now, stop uploading your personal photos and personal information like visiting cards online if you care about your privacy.

To technology companies, please prioritize security of your users above everything else.


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images