Join 3,551 readers in helping fund MetaFilter (Hide)


Privacy of MP3 fans at risk
February 4, 2002 10:34 AM   Subscribe

Privacy of MP3 fans at risk A new security hole has been discovered in one of the world's most popular file-swapping programs Morpheus which could allow anyone to gain private information about its millions of users.
posted by arnab (12 comments total)

 
Talk about light on facts, what exactly is this hole supposed to be ?
posted by zeoslap at 10:45 AM on February 4, 2002


Tell me, does my firewall stop this, or not?
posted by walrus at 10:49 AM on February 4, 2002


apparently old hole, new news. (and same problem exists with KaZaa and other similarly coded programs)

Basically, instead of accessing the shared Morpheus folders via the Morpheus server, you can just go in via HTTP and port 80 and browse/grab whatever files you want. It seems that Morpheus brings its own InetServer process and runs that along with its own stuff.

And Norton/ZoneAlarm don't necessarily monitor port 80, so you also bypass any firewall protection that the Morpheus server is running on.

There's more to it, but that's the gist.
posted by aaaaa at 10:49 AM on February 4, 2002


Thank God Windows crashes so much. If it didn't, I might actually think of keeping something valuable on my computer. If anyone wants a buttload of poorly-written college papers, have at it.
posted by ttrendel at 11:04 AM on February 4, 2002


i think it's also the fact that some users mistakenly allow the sharing of their entire hard drives. afaik it's not a bug or exploit (article is v. vague) but users not configuring properly (?). check the thread at slashdot for more conjecture.
posted by mokey at 11:28 AM on February 4, 2002


You mean this thread?
posted by walrus at 11:37 AM on February 4, 2002


aye
posted by mokey at 11:54 AM on February 4, 2002


you can just go in via HTTP and port 80 and browse/grab whatever files you want

Only the ones that you've chosen to shared. The fears of getting to the root of your drive are unfounded unless you have it set up that way. If you have enabled c: or d: for sharing then your "my_secret_porn.zip" file has probably already been copied along with your cookies and other goodies through the normal Morpheus client.

Hmm, I think I'm going to go do a search on my secret porn now.
posted by skallas at 12:29 PM on February 4, 2002


Anything that is so private that i wouldn't want anyone else there to see it, I wouldn't even put it on my computer. If someome REALLY wants to break into my computer, more power to them. But, they won't find a single useful thing except lots of music and college schit.
posted by jmd82 at 1:18 PM on February 4, 2002


Anything that is so private that i wouldn't want anyone else there to see it, I wouldn't even put it on my computer. If someome REALLY wants to break into my computer, more power to them. But, they won't find a single useful thing except lots of music and college schit.
posted by jmd82 at 1:18 PM on February 4, 2002


Oh, hello, what's this? encryption? Encrypt all the files I don't want people to get at. What a novel idea!
posted by fuq at 2:14 PM on February 4, 2002


A few things. It is apparantly port 1214, not port 80. However, if you've allowed net access to that port (to get Morpheus or Kazaa to work) with ZoneAlarm or any firewall, it opens that personal web server to the world.

Second, it is only sharing the files and folders you set it to share. Unfortunately for many people, they have shared their entire hard drive. If you don't think people are that stupid, do a search for some common file that lives in the \windows directory. Most of the hits are people that have way too much of their computer shared via this system.

Gnutella works very similarly, a searching mechanism built on top of a web server. Depending on the client a person is running, you may also be able to connect directly to the web server with a browser and look at files on their hard drive.

This is also an example of very poor reporting. The article originally mentioned that this could be the work of a 'worm'. That has since been removed. A look at the /. comments contains the original quote.
posted by mutagen at 2:23 PM on February 4, 2002


« Older The ultimate nightmare?...  |  Nike Air Jordan XVII priced at... Newer »


This thread has been archived and is closed to new comments