Files In The Cloud
With the rise of the Web 2.0 era, new suites of web applications are being developed. Some of these applications such as FaceBook and MS Live Space focus on social networking and collaborations. The trend for hacker has also moved from getting root/administrator privileges to gathering user personal information, profile and possibly credit card information.
One typical application is files and photos sharing where users can upload files or photo to store online and share their content by providing the URL to the online storage. These services typical have access control to the content so that not everyone can have access to it. Beside these restricted folders, the service usually provides a “Public” sharing folder for each user. This folder is accessible by everyone.
The potential pitfalls in using these public sharing folders include possible ID harvesting and partial privacy disclosure. A hacker can gather personal information and profile from these services if the user is not careful. With the convenience of such powerful collaboration tools, some corporate users find it effective and attractive in embarking work using these online technologies. Corporate secrets such as marketing strategies could leak out when revision of the artwork is shared through the Public folder between employee and designer during collaboration work. Similar to handling email, user needs to be educated since these pitfalls are not solely implementation issue but involve usage pattern as well. No system can prevent a user from choosing to share his bank account statement to the world.
Below, the SkyDrive service demonstrates how ID harvesting and information gathering is possible.
SkyDrive Online File Storage
With Window Live SkyDrive, user can choose to share files with everyone by providing the URL to the Public folder of their SkyDrive account. The URL to the public folder is not directly derivable without any information. The URL is prefixed by a cid variable which contain a 16 digit hexadecimal generated by the system. The seemingly random prefix (cid-xxxxxxxxxxxxxxxx) in the URL protects people from trying to guess the URL of publicly shared folder. This is an example of security by obscurity, but it does not totally eliminate the threat of ID harvesting and partial privacy disclosure.
The following example shows a URL to a Public folder of a user “Jame”.
http://cid-xxxxxxxxxxxxxxxx.skydrive.live.com/browse.aspx/Public
The share contents contain revision of a review article, and some files for the owner’s mum. It would seem that SkyDrive is used by “Jame” as a repository for his work. These articles can be downloaded by anyone, and the review information is disclosed to everyone.
Locating Public Folder In The Cloud
A false sense of security that no other users will be able to guess the URL and gain access to their files make users let their guard down and share their private files in Public folders. However, there is no need for other users to know the cid to locate each others’ Public folders in SkyDrive. By constructing the appropriate query and doing a search on Google, they can easily obtain a list of the public folders that are currently shared by the users of SkyDrive. The list provided a way to browse the files available in the Public folder space directly, bypassing the need to know the cid.
The following are 2 examples of some contents retrieved from the thousands of results returned from a Google search.
ID Harvesting
Every user of SkyDrive will have a Public folder when they sign up for the Windows Live service. Provided Google has indexed them, all users with their corresponding SkyDrive’s public folder will turn up in Google’s search results. The search results indirectly provide us with a list of ‘cid-xxxxxxxxxxxxxxxx’s which allows us to retrieve information of any user from the list, through his spaces.live.com profile. The significance of the Google search result is that “randomizing cid no longer prevents us from harvesting IDs because of the presence of Public Folders”. It is now possible to access his email address, know his friend, gather his limited profile, and access his blog. These provide a wealth of information for social engineering.
The following is sample information which could be gathered from the results returned from a Google search.
The above demonstrates a new form of attack facing user of Web 2.0 applications. Similar to email services, it is important to educate the users to understand these new threats and protect themselves when using these services. Similarly, it highlights the complexity and importance of security design consideration in new Web 2.0 applications, where collaboration and social networking is a natural part of the applications.