Yfrog Denies Security Hole Led to Weiner Hack (UPDATED)

UPDATED 6/7: So yeah, it turns out Yfrog had absolutely nothing to do with it. Weiner was lying the whole time. Oh, well. Still a good read.

This week has been jam-packed full of Weiner with no signs of slowing down. The New York congressman has defended himself in multiple interviews, but has hedged his bets on whether or not the photo is actually of his… thing.

However, buried underneath all the Weiner-centered news was the role of Twitter photo-hosting service Yfrog. According to a post yesterday on Mashable, all a potential hacker would need to send the photo from Weiner’s account was his Yfrog address.

So, let’s say Weiner’s posting address was RepWeiner.hacked@yfrog.com. If Weiner emailed a photo to that address from his government account, it would be posted to Twitter. If I emailed that address from my own account, any photo I sent would be posted on his stream as well. All a “hacker” needs to know is that RepWeiner.Hacked@yfrog.com address.

This, perhaps, provides the simplest explanation for what could have happened. If someone figured out Weiner’s Yfrog e-mail address, they could have easily pulled off the prank. And it wouldn’t have been that hard to find out. The format for all Yfrog e-mail addresses is as follows:

Twitterusername.[randomword]@yfrog.com

If this were the case, it would be inaccurate to say thi was a “Twitter hack” as opposed to a “Yfrog hack.” When the site was reached for comment, the instant e-mail post option was covertly disabled. However, today Yfrog has denied it had anything to do with the Weiner scandal or any flaws in their security system. Yfrog’s most recent blog post addresses the security update without any references to Weiner.

At yfrog, we take security very seriously. We monitor all the activity on our site and network 24/7 to make sure we secure our services, especially the photos and videos of our users. Our commitment is to protect our users’ photos and make sure they are never lost, deleted by accident, or compromised in any way.

Yfrog justified the instant e-mail upload as “a convenience for users,” and explained that users should keep their e-mail PIN as secure as their passwords.

So why did they end up disabling the service?

At yfrog, we constantly evaluate our internal security mechanisms across all the facets of our service. Even though our email upload feature has not been compromised or broken into, we are taking this opportunity to evaluate the feature and secure it even further.

The key takeaway from that paragraph is “not been compromised or broken into.” So Yfrog is completely denying that their service had anything to do with getting the lewd photo on Weiner’s Twitter account, but they still think this is a good time to “evaluate the feature.”

In summation: “We had nothing to do with it! Absolutely nothing! But while we’re here…”

Advertisements

One thought on “Yfrog Denies Security Hole Led to Weiner Hack (UPDATED)

  1. I see no denial that the picture was posted on Twitter through Yfrog, only that Yfrog was not “compromised or broken into”. Perhaps they looked at the IP logs and found only Weiners. If he would allow a 10 min investigation by police or let twitter and yfrog release info this could be cleared up in no time.

Comments are closed.