Announcement

#1 2016-02-22 22:50:12

heviifoto
Member
2015-09-18
20

Serious Security Issue! Locked albums visible when browsed by phones!

A colleague who hadn't yet registered on my site just told me that he could access the photos from his phone without having registered. However, he couldn't get beyond the registration dialogue when visiting the site by his computer.

I've no idea yet if this serious security breach is dependent on phone OS. My colleague hasn't responded to my question yet. In any case this is irrelevant: A security hole has been identified and must be closed.


Piwigo version: Piwigo 2.7.4
Operating system: Linux
PHP: 5.6.17 (Show info) [2016-02-22 16:42:32]
MySQL: 5.5.5-10.0.21-MariaDB [2016-02-22 16:42:32]
Graphics Library: External ImageMagick 6.9.2-7
Piwigo URL: http://heviifoto.no-ip.info

Offline

 

#2 2016-02-22 22:53:33

heviifoto
Member
2015-09-18
20

Re: Serious Security Issue! Locked albums visible when browsed by phones!

FYI: The Smart Pocket (mobile theme) is also enabled on my site.

Offline

 

#3 2016-02-22 22:57:22

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3271

Re: Serious Security Issue! Locked albums visible when browsed by phones!

[Forum, topic 24607] Some folders without protection?
[Forum, topic 21104] Private photos are publicly accessible?
and some (many) other

now it would be interesting to know how he accessed the files

Offline

 

#4 2016-02-22 23:05:19

heviifoto
Member
2015-09-18
20

Re: Serious Security Issue! Locked albums visible when browsed by phones!

The albums which he accessed are indeed "locked". If they were not, my "unregistered" colleague would have also been able to see them on his computer.

Last edited by heviifoto (2016-02-22 23:08:28)

Offline

 

#5 2016-02-22 23:46:16

heviifoto
Member
2015-09-18
20

Re: Serious Security Issue! Locked albums visible when browsed by phones!

The affected OS: android version 5.0.1

It would be prudent to check others.

Offline

 

#6 2016-02-26 19:24:27

heviifoto
Member
2015-09-18
20

Re: Serious Security Issue! Locked albums visible when browsed by phones!

I am surprised that nobody else finds this to be a serious security problem.

Previous concerns were about anybody being able to see a locked photo if they had the url. This security chasm where so-called locked albums can be viewed on smartphone browsers doesn't even require the urls to be known!

Why isn't anybody else concerned about this??

Offline

 

#7 2016-02-26 19:31:33

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13182

Re: Serious Security Issue! Locked albums visible when browsed by phones!

I feel concerned. I'm going to check.


Latest blog post (November 9th 2018) Why Flickr could not remain free for ever

Offline

 

#8 2016-02-26 19:33:31

heviifoto
Member
2015-09-18
20

Re: Serious Security Issue! Locked albums visible when browsed by phones!

Thank-you, plg!

Offline

 

#9 2016-02-27 10:11:01

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13182

Re: Serious Security Issue! Locked albums visible when browsed by phones!

I juste made a test with a web browser on Android 6.0.1 and I see no more content than on any other web browser on my Linux desktop. I need more details to understand how your colleague saw your content.


Latest blog post (November 9th 2018) Why Flickr could not remain free for ever

Offline

 

#10 2016-02-27 17:54:34

heviifoto
Member
2015-09-18
20

Re: Serious Security Issue! Locked albums visible when browsed by phones!

Well, this is quite perplexing. My colleague writes:

"...as now i cannot access any photos on my phone. Previously, I was able to see a series of albums, sorted by countries - mostly African and European..."

The only thing that has changed was that I registered him -after- he told me that he could already get into the site. I understand why he can't see anything now (he hadn't confirmed his registration) but I have no idea how he was able to initially view my photos.

Last edited by heviifoto (2016-02-27 17:55:11)

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2019 · Contact