back to article Think file-hosting sites guard your private data? Think again

Academic researchers say they've uncovered weaknesses in dozens of the most popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user. The services, which include sites such as RapidShare, FileFactory, and Easyshare, allow users to upload …

COMMENTS

This topic is closed for new posts.
  1. jake Silver badge

    Uh, no. No, I don't think file hosting sites guard user's private data.

    That's why I've run my own net-connected servers for over a third of a century.

    But ta for asking! :-)

    Hind-brain wonders: Will TheGreatUnwashed[tm] ever "get it"?

    Gut-feeling: No. People, en-mass, are idiots.

    1. Andy Fletcher

      Idiots is a tad harsh

      gullible? ignorant? sure, but we all are outside our fields of expertise. I lay the blame at the door of the tech companies. Making computers easier to use just meant no-one bothers to learn how they work anymore. They should force us to rcommand line only operating systems and sit on a large sharp stake when operating tech gear. That would solve pretty much every tech problem there is.

      1. jake Silver badge

        Blaming the tool ain't the answer, Andy.

        It's up to the user to understand the tool, not vice-versa. Would you blame Vaughan if you hit your thumb with a 22oz framing hammer?

        I blame Apple for the whole "ease of use" myth ... Has set computing and networking back a couple generations, at least.

  2. Anonymous Coward
    Anonymous Coward

    Encryption, Encryption, Encryption!

    That is all, now move along.

    1. Danny 14
      Thumb Up

      indeed

      well, now you have my 100mb file, good luck unencrypting it (after brute forcing the RAR).

  3. Neal 5

    C'mon now Dan, surely you can do better

    Are we talking about a file hosting specific search engine here? something on the lines of

    http://www.searchshared.com/

    or it's ilk, of which there are myriads.

  4. Anonymous Coward
    Anonymous Coward

    is this an "attack"?

    surely just typing in a URI doesn't constitute attacking a system does it?

    1. foo_bar_baz

      Automated guessing == bruteforce attack

      http://host/abc123

      http://host/resource/abc123

      http://host/resource?pass=abc123

      http://host/resource?user=bob&pass=abc123

      In all cases you have a resource protected by a secret. By bruteforcing the secret to access the resource, you're performing an attack. It doesn't matter whether it's an olde CGI URL or a newfangled RESTful URL.

  5. ender
    Joke

    I don't see much of a problem with this...

    ...since anybody sharing sensitive data over these services would certainly keep it encrypted, right?

  6. Gordon 10

    Non-story?

    Well duh.

    Surely there are few people using the named sites for anything but the odd random download?

    Afaik none of the sites advertise as secure file repositories so anyone who assumes otherwise is an idiot.

    Now if this was about dropbox or MobileMe then there would be a story here.

  7. Christoph

    Simpler fix?

    When the file is uploaded, generate a password as well. The uploader can decide whether to keep the password secret or to share it together with the URL.

    To download the file you need both URL and password (and add a block after too many attempts to guess the password).

    Maybe not as secure as encryption, but much easier to get everyone to use it.

  8. Anonymous Coward
    Big Brother

    Not Enterprise Class

    If it is not encrypted, why even bother with an ID? I guess the masses want a transparent fig leaf to make them feel their data isn't being bandied about.

    Then I read about business people sharing their small company business plans and presentations on these services-- unencrypted-- well, I know what businesses NOT to work with. Non-disclosure agreements aren't worth a whit if your partner does a publish to the cloud.

    The beacon idea was sort of a good idea, although one has to wonder about the purloiners who would actually connect to a possibly malware infested site just because it was mentioned in a file with no provenance. One hopes they masked their IP and MAC addresses at least and had their shields up (CD based OS running?); there was no mention about any systematic use of service IP address purveyors.

    I guess it is the ones one doesn't see that one has to worry about.

  9. Anonymous Coward
    Anonymous Coward

    If I were to upload confidential files to a site like this

    then I would certainly make the assumption that the files would be public, even on the supposedly secure services, why take the risk in assuming otherwise? TrueCrypt isn't that hard to use.

  10. Doug Glass
    Go

    "The next Microsoft in the cloud computing era is ..."

    This whole cloud thing is just getting hilarious. What a clown act.

    1. Sonny Jim

      The reason why the 'cloud' buzzword is popular

      Is because when people use 'the cloud', they think they are using some kind of massive super computer you'd find tucked away on the Starship Enterprise. It's bragging rights, nothing else.

  11. Anonymous Coward
    Anonymous Coward

    Trojans and Malware

    I wonder how many trojan and malware "developers" are using that to distribute their creations. Name the file something very interesting and put it out there; either by itself or incorporated into an existing file. Then you have people thinking they are getting something great and will gladly click on it. If the malware was delayed activation, they wouldn't have a clue where they got it from either and send the file link to their friends.

  12. Old Handle

    I'm not surprised

    Actually I'm surprised that anyone is surprised. I always operated under the assumption that anything you post on those things is free for the taking. Although the service I've been using (Mediafire) is apparently a little better than average, it uses 15-character alphanumeric codes and has an option to add a password. But I still wouldn't trust it for anything confidential without adding encryption of my own.

  13. Anonymous Coward
    Unhappy

    Same with bookmarking sites

    I was hoping to find a bookmarking site that stored my bookmarks in the cloud, but where I could keep sensitive URLs (or even personal information, like the login ID). Unfortunately, the ones I have found have the same problem. Even when you mark a URL as private, it is still subject to a simple "increment numeric ID" hacking attempt.

    1. Robert Carnegie Silver badge

      Have you evaluated Opera Link for bookmarks?

      You don't have to use the Opera browser (except perhaps to import your existing links, I'm not sure), and they are usually quite aware of security, but when they say "Opera Link keeps your browser information safe", they appear to mean that you can still access it if you cmshed or lost your computer or phone or whatever. http://www.opera.com/link/ I haven't used it myself. If they aren't secure currently, they may respond to s!prodding.

      I recall that Firefox has some kind of online resource to share bookmarks with your other Firefox PCs through storage on the Net, too.

      1. Robert Carnegie Silver badge

        ...I seem to be thinking of Mozilla's "Sync" there.

        http://mozillalabs.com/sync/

        "your information is encrypted so only you can access it when you enter a Secret Phrase. Firefox puts security as a top priority and syncing is no exception."

        I'm not sure how you actually use it.

        Also consider

        http://www.xmarks.com/about/features/bookmark_sync

        "It just works. Install Xmarks on each browser you use, and it will seamlessly keep your bookmarks, (and optionally) passwords and open tabs in sync."

        (1) Passwords?, and (2) using bookmarks on different -computers- may be a feature of the "Premium" product.

        I assume they aren't being foolishly casual about the security of customers' -passwords-.

        But maybe you should be looking for a password store with an add-on bookmark facility. (I assume they remember what the passwords are -for-.) There's "LastPass", although, did you hear...... oh dear.

  14. The Fuzzy Wotnot
    Pint

    Bears/Woods and Popes/RC

    Does anyone seriously think they do protect your stuff? I thought the whole purpose was simply dumping grounds to easily share data, maybe some very basic "protection" ie, we won't publish the links directly but you can find 'em if you try hard enough, sort of thing.

    I've found some great stuff nosing around file-sharing index sites, old comics and old IT manuals I have lost or only had in paper form. I've used these sites to share my photos with friends when we work on shred photo-manipulation projects, but I would never stick anything I seriously cared about on them as I have seen how easily the file-sharing indexers can find them and tell the world about them.

    1. Marvin the Martian
      Unhappy

      Popes/RC

      Your remotely-controlled pope scared me for a moment.

  15. dephormation.org.uk
    FAIL

    Vodafone & Bluecoat

    "Users may ... share [the URL] in a single email to prevent all but the recipient from downloading it."

    How so?

    While Vodafone are using Bluecoat ProxySG to covertly monitor private/confidential public communications... any URL you request will be covertly and illegaly sent to the west coast of America for analysis, and use in a replay attack.

    Which is completely illegal in the UK, and a threat to national security.

    Or how about BT/Phorm? Stealing the content of communications on the fly?

  16. Anonymous Coward
    Alert

    Every cloud has a......

    ....vulnerable lining...

  17. A Non e-mouse Silver badge

    :-( *sigh*

    Numerically sequential IDs ?

    6 or 8 digit IDs ?

    I'm no security guru, but I'd be looking at using something like a UUID, seeded with some good entropy sources. Short, sequential keys aren't ever going to be secure.

  18. Anonymous Coward
    Anonymous Coward

    file sharing

    Surely the main purpose of these sites is to get around the problems with torrents, ie. that you can be easliy caught if downloading copyrighted content.

    Megaupload, rapidshare etc allow you to subscribe for fast downloads of (mainly) copyrighted material in a way that is very very unlikely to land you in court.

    So, its not really in their interest to make their sites more secure

  19. Wibble
    WTF?

    How do these file hotels make money?

    These file hotels make money by putting adverts onto pages. Therefore it's in their interest to maximise the number of page views.

    In any case, anyone expecting security for free gets everything they deserve.

  20. RainForestGuppy

    The real problem is:-

    These sites are great if you want to share that picture of Great Aunt Winifred's pet pug, but the problem is that most users believe if somebody offers a service like this on the internet it is safe to use for business purposes.

    I've seen people transferring sensitive and confident material over these types of sites, without realizing that if anybody that gets hold of the URL they can open the files.

  21. Charlie van Becelaere

    My, My.

    There's a shocking development. Never saw that one coming.

  22. Mark Serlin
    FAIL

    why would anyone think *that*

    Duh!

  23. dssf

    What about unauthorized traversal inspection of upload sources?

    Say you're uploading a file from your computer to some online site. That site provides a "Download file" button. You click it. Rather than copy and paste in the URL, you traverse directly (or sometimes in random fashion until the desired file shows up) to the file. Now, is it really impossible for such upstream sites to covrertly traverse, inspect plant into or extract from, and monitor computers when the user logs in?

    I for about 6 years have been wondering that. It seems that with web crawlers and hidden "Allow" scripts, it probably is child's play for malicious types and nosy investigators, police, and State entities to exploit users. Users whose systems are not file-encrypted (each file, not JUST the file system or hard drive, since disk-only encryption can mean the entire contents are exposed/unencrypted once the single password is correctly supplied) could be at great risk of being snooped when connected. This is why with I ALWAYS yank the Ethernet or the USB antenna as soon as I have completed my log on purpose. I NEVER just walk away from home and leave my machine connectect and unobserved unless it is for updates. This also is why I refuse to consume streaming media to my computer. So much is going on it is nearly impossible to refute the possibility of slipstreamed malicious or uninvited code.

This topic is closed for new posts.

Other stories you might like