This morning one intrepid Android user discovered a bit of a security hole in an app called XGimp. This app had good intentions, to be sure – but there’s was a bit of a mistake in its basic structure. The app allowed the user to edit a photo with a simple image editor locally, or, if they wanted, the app allowed an upload to a server with a Gimp image editor. Therein lies the rub.
The image editor in XGimp exists on a remote server on which images are uploaded from all around the world. Users from around the world have, over the course of the time this app has been active, uploaded lots and lots of images to this one server. While the app doesn’t expressly indicate, these users maybe should have known better – there’s no real security on this server.
As such, all of the images were ready to be viewed by anyone wishing to take a gander. Lucky for the users that’d already uploaded their private images and/or documents to this server, the most skilled users began work on destroying the server immediately. To do this, they went immediately for root access.
Once root access was attained by user GranPC, the destruction of the app’s file access to the server in question was relatively simple. Google wouldn’t even have had time to shut down the app in the first place once this user began her or his work. This user began by removing the Upload folder where all files were stored – then they went ahead and broke the VNC server entirely.
Quick Lesson in short: Don’t trust any app that connects to a desktop environment when no login screen is needed. Connecting to a desktop environment on any platform – without the gateway – is a recipe for potential disaster. Cross your fingers nobody got ahold of any especially important documents and/or photographs between the first report on Reddit and the destruction of the server entirely!
NOTE: XGimp still exists on the Google Play app store as this article is set to publish. Because we do not wish any of our readers to download the app and be put in potential danger, we recommend that no one go seek it out. It’s dead at the moment, anyway.