The CEO of ImageShack, whose popular Yfrog service posts millions of photos daily to people’s Twitter accounts, denied Thursday that his site had a security “hole,” as reported by the Daily Dot.
Call it a security flaw, a vulnerability, or just bad design -- the facts are that Yfrog allowed anyone with the right email address to post a picture to a user’s Twitter account, a feature which Yfrog shut down late Wednesday after the Daily Dot and others started asking questions about the service’s security.
The email-posting feature, whose vulnerability we confirmed in our own tests, may well have allowed a prankster to post a picture like, say, the controversial picture of an underwear-clad penis that was posted to Representative Anthony Weiner’s account on Friday.
The feature in question could be considered a weakness or “design flaw,” said security expert Bruce Schneier.
Every system has security holes, he added. “We as a species have no idea how to design systems without security holes.”
Schneier pointed out that you could say the design of a supermarket is flawed, because it theoretically allows anyone to walk into the store and steal items off the shelf.
After a right-wing blogger reported that the prominent New York Democrat had posted the picture and directed it to a Washington State college student, Weiner immediately declared that his account had been hacked and deleted the tweet.
Since then, bloggers, Tweeters and hackers have been trying to figure out how to prove or disprove depending on their political leanings – that Weiner himself posted the photo. (After days of unclear statements, Weiner finally said Wednesday he wasn’t sure whether the photo was really of his own crotch -- which didn’t really help resolve matters.)
At this point there are still more questions than answers. But a few things have become clear. The photo in question was definitely posted using Yfrog’s service. Yfrog allows you to post a Twitter photo through several means, including using an app which supports the service, logging into Yfrog’s site – or by sending a photo to what is supposed to be a secret email address that Yfrog assigns to you when you sign up.
The email address contains your Twitter username, followed by a random word, and ending with @yfrog.com. (Yfrog refers to this as an “email PIN.”)
Anyone with the email address could have used it to send a photo. But getting that email address is no trivial matter, said ImageShack CEO Jack Levin. (Levin could not be reached yesterday but returned calls and emails today).
While he would not comment directly on the Weiner case, “due to privacy concerns,” he said that “to date we have not had any user complaints about their email PIN being hacked.”
He added that guessing that PIN “is nearly impossible. The possibility is so low you would be spending years trying to guess it.”
A brute-force attack would also be nearly impossible, Levin said, because ImageShack’s system locks out email addresses when they’ve attempted to email ten times in an hour, he said. In that type of attack, hackers try random words to eventually guess passwords or other security measures.
Despite its confidence in its security, Levin said his company decided to stop the email uploading feature last night because so many people – including those, like the Daily Dot, who were testing the so-called vulnerability -- had publicly posted the addresses and in the process, compromised their own Yfrog accounts.
“What we've been seeing is a lot of people posting their PINs online the same way you did it with your article,” Levin said. “And we basically decided to protect those users.”
He said his service would be issuing new “PINs," or posting addresses, to its users.
Levin added that our story was part of the motivation to take down the email feature, because we posted senior editor Grant Robertson’s Yfrog posting address in a graphic that we used. He claimed that our story was “kind of really defaming our efforts and causing our feature to shut down.”
His claim didn’t exactly check out, however. When we pointed out that our story went up after the feature was disabled, he said that our story was only one of many where addresses were posted, and that they had taken down the feature in reaction to all the postings.
He added that posting one’s address violated Yfrog’s site’s terms of service and asked that the Daily Dot take down the graphic.
“We reacted to the situation to protect the privacy of our users,” he said.
Levin would not comment further when pressed by email after Daily Dot editor Owen Thomas posted a tweet criticizing Levin.
As far as getting to the bottom of what happened with Weiner, it’s not likely to happen any time soon.
Did someone hostile to Weiner post the photo as a prank using Yfrog, as Weiner has maintained? Did someone hack into his email and get his passwords? Did he leave his Blackberry lying around with compromising photos that a political operative then used against him? Or did Weiner maybe post his own photo one late Friday night?
“This kind of stuff is extraordinarily hard to prove one way or another,” said Schneier, the security expert.