Documented Yfrog MMS Feature Made Framing Rep. Weiner Easy
Here’s a fascinating new bit of information in the “Weinergate” (ugh) scandal. Apparently it’s possible for anyone to post a picture to anyone else’s account at the yfrog.com picture hosting site — without a password. The trick is to email a picture from a Blackberry to the user’s yfrog.com email address, with the word “@subject” in the text. This results in the picture being posted at yfrog — and a tweet being posted at Twitter with a link to the picture.
The full details are at Cannonfire, and it certainly appears convincing. I don’t have a Blackberry, but LGF reader “ElCapitanAmerica” tried the technique described in this post, and reports that it really does work.
This is compelling evidence that Rep. Weiner is being framed. There would have been no need to hack into his accounts because of this security hole.
It turns out that you don’t have to email from a Blackberry — you just need to use MMS to send the picture, from any device that supports the protocol. I’ve now confirmed that this technique also works on an iPhone.
It also turns out that this is not really a security hole in yfrog; it’s a documented feature that’s been public knowledge for at least 2 years.