SmugMug Fixes many Problems, Leaves Others open
Earlier this month we published an previous article about a competition that was being run by the operators of the SmugMug photo sharing website, where they would pay people up to $599.99 USD if they were able to retrieve the original image that was hidden behind the site's protective measures. While there has been no news of the money being paid to anybody, the site certainly got a lot of free security advice (by the way, thanks for not getting back to us) and were able to make a lot of changes to the site that have resulted in some ongoing issues for users, while addressing a number of serious issues that had been raised.
Following the changes to the site, the biggest immediate discovery is that it is no longer possible to recover sequential images (or even the whole unprotected archive) through iteration over:
http://www.smugmug.com/photos/photo_id.jpg
The biggest change that effects this outcome is the addition of a five character UID-of-sorts (which they call a key) appended to the end of the existing numeric photo_id. With a possible key space of 916,132,832 options (the SmugMug blog suggests that there are only 57 alphanumeric choices for each character, giving a key space of 601,692,057, but there is no guidance on which five characters are invalid from the set [A-Z, a-z, 0-9], leaving the greater keyspace for a brute force approach) it makes for a seemingly impossible task to retrieve random images from the site. Each image is given its own key, as with each album, making it difficult to automatically grab every image associated with an album.
As with many systems, there are a couple of weaknesses in implementation that allow for retrieval of random images, though it is definitely random how they will be returned.
Direct requests for images will still work, though there is a slight difference in the format. Previously, all that was required was a direct request to an image in the format:
http://www.smugmug.com/photos/
photo-O.jpg - Original size
photo-M.jpg - Medium
photo-L.jpg - Large
photo-S.jpg - Small
Now, with the individual image key, the request becomes:
http://www.smugmug.com/photos/
photo_photokey-O.jpg - Original size
photo_photokey-M.jpg - Medium
photo_photokey-L.jpg - Large
photo_photokey-S.jpg - Small
This means that even with the anti-right click JavaScript and the addition of the key, all it takes to retrieve the original image at the original size is knowledge of the correct key.
This is easier than it might seem, and it is also the case that having to hunt through the entire keyspace for each image is not necessary.
From our original article, we mentioned that one of the biggest risks is from displaying malicious images in the context of a legitimate album, originally possible through:
http://victim.smugmug.com/gallery/legit_album_id#malicious_photo_id
With the addition of keys specific to each album and each image it gives the appearance of a solid URL that can not be reverse engineered. Unfortunately, that is all it is - it only appears secure.
Consider the following example:
Album - legitalbum
Album Key - albumkey
Photo that is in album - legitphoto
Its key - legitkey
Malicious photo - malphoto
Its key - malkey
When viewing images in albums, SmugMug allows users to take a closer look at images through the use of a virtual lightbox, which is where it was possible to appear to inject a malicious image in a legitimate album, and where it is still the case. The new URL format for displaying an image on the lightbox is as follows:
http://victim.smugmug.com/gallery/legitalbum_albumkey#legitphoto_legitkey-S-LB
(the S / M / L / O at the end represents the size and LB represents that it is displayed in the light box)
http://victim.smugmug.com/gallery/legitalbum_albumkey#malphoto_legitkey-S-LB
Even though the wrong key is present for the image, it will still display. Now that the image has been injected (or at least appears to have been added to the album), it is possible to recover the key for a malicious image, and to display the rest of the album that the malicious image belongs to (if it does). At the top of the page will be a set of options for displaying the image in different sizes, though this will use the legit image key to display the malicious image (which it doesn't seem to have much of a problem with). Next to that it provides the option to view preceding and following images from the malicious album, with the correct keys for those images. Simply cycling to the next image and then back again will provide the appropriate malkey. Replacing the legitkey with this value still displays the malicious image and this process forms the basis for recovering the key for any image for which the photo_id number is known (once in the lightbox replace the current photo_id with that of the image you want to recover, cycle to the next image in the album, cycle back and then you have the appropriate key which you can then use to recover the original image).
When combined with the ability to recover original images from an album by noting the key belonging to each image (a little bit of manual work) and then making the appropriate direct request, it is possible to create a 'shadow album' that has the malicious image inserted, but which otherwise appears the same as the legitimate album.
Since the lightbox tries to call up other images belonging to the same album as the currently viewed image a shadow album would be an effective means of hiding the fact that the images on display DO NOT correspond to the album indicated in the URL (and viewable through the greyed out background). Confusing the issue further for the victim of such an attack is the fact that the title of the web page that is displaying the malicious image is the title chosen by the legitimate album owner, further hiding the origin of the malicious image.
Overall, SmugMug's developers and maintainers have made a valiant effort at improving the security on their site and helping protect their users' images, the only problem being that they have only made the process of recovering original images only slightly more complex and they have made it appear more difficult to spoof an image's ownership / album when it is just as simple as it was before. In fact, with the addition of unique keys for albums and images, it gives the impression that spoofing should not be possible.
20 February 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.