Kodak managed to release a product with a big fat security vulnerability. [Casey] figured out that the Kodak W820 WiFi capable digital frame can be hijacked for dubious purposes. The frame can add Internet content as widgets; things like Facebook status, tweets, and pictures. The problem is that the widgets are based on a feed from a website that was publicly accessible. The only difference in the different feed addresses is the last two characters of the frame’s MAC address. Feeds that are already setup can be viewed, but by brute-forcing the RSS link an attacker can take control of the feeds that haven’t been set up yet and preload them with photos you might not want to see when you boot up your factory-fresh frame.
It seems the hole has been closed now, but that doesn’t diminish the delight we get from reading about this foible. There’s a pretty interesting discussion going on in the thread running at Slashdot.