Oink security bug lets others download your content

Image Credit: http://www.flickr.com/photos/lwr/

After social mobile application Oink was shut down on Wednesday, the company behind the app, Milk, put up a “download your data” option so that users to grab their content one last time. It seemed, however, you could grab just about anyone’s content simply by typing in their user name.

However, Milk founder Kevin Rose has informed us that a unique hash has been added to each link to stop just anyone from accessing your content.

“For Oink it has always been that everything that a user does is public,” Rose told VentureBeat. “It’s posted to their profile pages; there’s no way to hide any of that data.”

Oink was an odd combination of Instagram, Yelp, and Foursquare, where people could take photos of their surroundings, add filters, rate what they’re doing, and check-in to various locations. It was obviously a little confused from the start, which may have led to its closing.

Pulse blogger Cristina Cordova was an Oink users, and when the announcement came out on Wednesday, she attempted to save her content. The Oink website asked her for her username or e-mail only, and then e-mailed a link to the data download.

Oink download link

The link (pictured right) is defined by a username, so if you input another person’s username, his data can be downloaded using the same link. Cordova swapped out her username for Oink founder Kevin Rose’s and it worked (you can check out his photos below). It seems the element of “security” here was the fact that a user only receives the download link if they have access to the associated e-mail account. But being able to manipulate the link itself is a vulnerability.

That being said, all of the information on Oink was intended for public consumption. Reviews, photos of places, public “check-ins” are open to the outside world. However, the oversight could be detrimental if used on the wrong application (imagine if Facebook had a bug like that).

“With Facebook it’s always tricky because there’s private and public data that’s inter-tangled,” Rose explained.

Rose was recently hired by Google. He confirmed the move today, stating that he and three others from Milk would be moving on to the search giant. What he will be working on has not been released.

Kevin Rose Oink Photos


Screen Shot 2014-07-15 at 10.53.56 AMOur upcoming GrowthBeat event — August 5-6 in San Francisco — is exploring the data, apps, and science of successful marketing. Get the scoop here, and grab your tickets before they're gone!