September 14, 2006

Arnold's Audio URL Controversy -- Hacking or Not?

Greetings. I've seen various news stories biting around the edges on this one, but perhaps a few more words now will save some time later.

As you may know, an mp3 audio file containing a recording of a private meeting with California's "Governator" was apparently "leaked" to the press by staffers in the office of his Democratic opponent in the upcoming election. The tape included Arnold using strong language and some racially-related discussion that some observers found disturbing, for which the Governor later apologized (audio of the meeting).

Arnold's team immediately declared that the file had been stolen from a "password protected" private area of their servers. Later they changed that story to saying that "information manipulation" had been involved in gaining access. Now local L.A. radio station KFI says of the process: "We've been hacking them for years, if this is hacking."

From everything I've been able to learn about this situation, the file was reportedly not password protected and the technique apparently used to gain access -- URL manipulation -- does not reasonably qualify as hacking under any normal definitions.

What appears to have happened -- again, based on what I know right now -- is that various people have been exploring the Governor's Web servers by making slight changes to the URLs on Web pages or from e-mail. For example, if a (fictitious) promoted URL is:

http://arnoldssite.ca.gov/audio/file01.mp3

an interested party might also try to access file02.mp3, file03.mp3, and so on.

The same sort of procedure applies to any other types of Web materials -- file21.html, speech-ab.doc, photos-000.jpg, etc. You can type anything you want into a Web browser address bar, and it's the responsibility of the server to determine whether or not you should have access: browsers request, servers control.

I'll bet that many readers of this blog entry have themselves used the same technique to explore Web site areas, or have seen the entries related to such actions in their own Web server logs.

Whether or not it is appropriate to publicly release information discovered in this manner is a different and more complex issue.

But I believe that it's very important to emphasize that the security of files on Web servers is solely the responsibility of those servers and the people who configure them. Relying on the false assumption that files can't be accessed simply because you have not promoted their URLs -- particularly if those URLs can be easily inferred from known URLs -- can lead to some significant surprises.

--Lauren--

Posted by Lauren at September 14, 2006 09:34 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein