August 1, 2019

Be careful how you share files. Unguessable doesn't mean unleakable

Be careful how you share files. Unguessable doesn't mean unleakable

A lot of online sharing services have this convenient feature to share content via an unguessable link. Even if the recipient of the link doesn't have an account for the used service he can still view the shared content.

Everyone that knows this URL can access the shared resources. That's why the URL should be random enough, such that no one can guess it. This is for instance how that looks for Google Photos: https://photos.app.goo.gl/vj4PrfUfQZjXAkQXE.

I fabricated this link so it will result in an error message. But, feel free to click if you don't believe me!

Whilst the example from Google Photos is a shortened link and the random portion is only 17 characters long it's still enormously hard to guess that link. But unfortunately there is something which is overlooked and could lead to your files falling into the wrong hands.

When the recipients of such links are suspicious they might scan them with an online tool before opening it. Let's take urlscan.io as an example. You can just paste the link in the search field and start a public scan

Most people will just push this button without asking questions. But the word "public" is important here. It's only when you click on the "Options" button that you will see that public means your search "Will show up on the front page and in searches."

Why do online scanning tools make searches public by default and what's the risk?

Urlscan.io is certainly not the only online scanning tool that uses the public by default approach. But the problem is that it's not clear to most people what a public scan means and what consequences it can have. If you scan links with valid tokens or unguessable links this means that everyone can find them via the search option.

And while you wanted to share your family pictures, by this one click on the public scan button the link is searchable on the internet and can be found by anyone. I think that scanning tools should really care a bit more about the privacy and security of their users and either give very clear warnings on the front page or even better make scans private by default.

Conclusion

When you use unguessable links to share content the recipients could leak this links that give unauthorized access to your files. This is out of your control and depending of the nature of the files this can have serious privacy and security implications for yourself or your company.

Don't share this kind of confidential data via google photos

Always think upfront if the convenience outweighs the potential risk. If not, make sure only authorized users can access your files.