Comments on: Comments on 14448

Post number 14448

arnab — Mon, 04 Feb 2002 10:34:26 -0800

Privacy of MP3 fans at risk A new security hole has been discovered in one of the world's most popular file-swapping programs Morpheus which could allow anyone to gain private information about its millions of users.

By: zeoslap

zeoslap — Mon, 04 Feb 2002 10:45:04 -0800

Talk about light on facts, what exactly is this hole supposed to be ?

By: walrus

walrus — Mon, 04 Feb 2002 10:49:16 -0800

Tell me, does my firewall stop this, or not?

By: aaaaa

aaaaa — Mon, 04 Feb 2002 10:49:55 -0800

apparently old hole, new news. (and same problem exists with KaZaa and other similarly coded programs) Basically, instead of accessing the shared Morpheus folders via the Morpheus server, you can just go in via HTTP and port 80 and browse/grab whatever files you want. It seems that Morpheus brings its own InetServer process and runs that along with its own stuff. And Norton/ZoneAlarm don't necessarily monitor port 80, so you also bypass any firewall protection that the Morpheus server is running on. There's more to it, but that's the gist.

By: ttrendel

ttrendel — Mon, 04 Feb 2002 11:04:01 -0800

Thank God Windows crashes so much. If it didn't, I might actually think of keeping something valuable on my computer. If anyone wants a buttload of poorly-written college papers, have at it.

By: mokey

mokey — Mon, 04 Feb 2002 11:28:36 -0800

i think it's also the fact that some users mistakenly allow the sharing of their entire hard drives. afaik it's not a bug or exploit (article is v. vague) but users not configuring properly (?). check the thread at slashdot for more conjecture.

By: walrus

walrus — Mon, 04 Feb 2002 11:37:31 -0800

You mean this thread?

By: mokey

mokey — Mon, 04 Feb 2002 11:54:26 -0800

aye

By: skallas

skallas — Mon, 04 Feb 2002 12:29:51 -0800

you can just go in via HTTP and port 80 and browse/grab whatever files you want Only the ones that you've chosen to shared. The fears of getting to the root of your drive are unfounded unless you have it set up that way. If you have enabled c: or d: for sharing then your "my_secret_porn.zip" file has probably already been copied along with your cookies and other goodies through the normal Morpheus client. Hmm, I think I'm going to go do a search on my secret porn now.

By: jmd82

jmd82 — Mon, 04 Feb 2002 13:18:37 -0800

Anything that is so private that i wouldn't want anyone else there to see it, I wouldn't even put it on my computer. If someome REALLY wants to break into my computer, more power to them. But, they won't find a single useful thing except lots of music and college schit.

By: jmd82

jmd82 — Mon, 04 Feb 2002 13:18:58 -0800

By: fuq

fuq — Mon, 04 Feb 2002 14:14:47 -0800

Oh, hello, what's this? encryption? Encrypt all the files I don't want people to get at. What a novel idea!

By: mutagen

mutagen — Mon, 04 Feb 2002 14:23:46 -0800

A few things. It is apparantly port 1214, not port 80. However, if you've allowed net access to that port (to get Morpheus or Kazaa to work) with ZoneAlarm or any firewall, it opens that personal web server to the world. Second, it is only sharing the files and folders you set it to share. Unfortunately for many people, they have shared their entire hard drive. If you don't think people are that stupid, do a search for some common file that lives in the \windows directory. Most of the hits are people that have way too much of their computer shared via this system. Gnutella works very similarly, a searching mechanism built on top of a web server. Depending on the client a person is running, you may also be able to connect directly to the web server with a browser and look at files on their hard drive. This is also an example of very poor reporting. The article originally mentioned that this could be the work of a 'worm'. That has since been removed. A look at the /. comments contains the original quote.