"These services normally rely on a security-through- obscurity approach to enforce access control: For each uploaded file, the user is given a secret Uniform Resource Identifier (URI) that she can share with other users of her choice," they explain. But, the study they have conducted and during which they have tested a hundred of file hosting services has demonstrated that the larger part of these services generate URIs in a predictable fashion, which makes it trivial for attackers to "guess" them and access the files hosted on them.
Once a file hosting service receives the file and stores it, it immediately creates a URI that will be tied to that file and shares with the person who uploaded the file, who can then share it with as many people as she wants - post it on public forums, on social networks, send it via email, etc.
If the file is meant to be disclosed to a wider public, the fact that an attacker has found and accessed it doesn't present a problem. But, file hosting services are also used for sharing private files between two or more people that are simply too big to be sent by email, and those files are in general not intended for the eyes of anyone else beside the recipients of the emails containing the link to the file.
Well, of the 100 FHS tested, twelve are clearly not intended for storing personal documents since anyone can browse the uploaded files, and those services were discarded from the study. The researchers have then moved to upload a number of files to each of the remaining 88 services, and took note of the download URIs generated by them.
"Surprisingly, we noticed that 34 out of the 88 FHSs (38.6%) generated sequential IDs to identify the uploaded files. Hence, a hypothetical attacker could easily enumerate all private files hosted by a vulnerable FHS by repeatedly decreasing a valid ID (that can be easily obtained by uploading a test file)," they say.
Fourteen of those 34 FHSs also append the filename to the URI, make it harder for the attacker to guess, but some of the remaining twenty are unfortunately among the most popular FHSs.
"By enumerating sequential IDs, our crawler was able to retrieve information about 310,735 unique files in a period of 30 days," they explain. To find out just how many of those files were intended to be kept private, they searched for each associated URI on the Bing search engine. "Out of the 310,735 unique filenames extracted with our enumeration tool, Bing returned no search results for 168,320, thus classifying 54.16% of files as private.
To test the FHSs that use non sequential identifiers, they modified their enumerator tool to bruteforce the file identifiers - an approach that yielded considerable results in a rather short time when turned against identifiers that contain six or eight characters (both numeric and alphanumeric).
When talking about other flaws that can help an attacker, there are those tied to the software some FHSs use. Some vulnerabilities are present due to errors in design, and some due to implementation, but many of them are easily exploitable.
In the end, to find out if these kinds of attacks are currently being mounted in the wild, the researchers have devised and uploaded "honeyfiles" onto the FHSs and included sensitive information in one of them to see if the attackers would actually access and use the contents of the file and not just harvest it. The honeyfiles were rigged in such a way that every time one of them was opened, it would contact a domain set up by the researchers - a fake carding website.
"While we were initially skeptical of whether our ex- periment would provide positive results, the activity recorded on our monitor quickly proved us wrong," say the researchers. "Over the span of one month, users from over 80 unique IP addresses accessed the HoneyFiles we uploaded on 7 different FHSs for a total of 275 times. […] While most of the attacks originated from Russia, we also recorded accesses from 16 other countries from Europe, the United States and the Middle East, showing that this attack technique is used globally and it is not confined to a small group of attackers in a single location."
In the end, the researchers say that the only way to make sure that the files you want to keep private will remain private if you encrypt them or password-protect them. To bypass some of the difficulties with this approach, they also designed a Firefox extension called SecureFS, "which automatically encrypts/decrypts files upon upload/download and uses steganographic techniques to conceal the encrypted files and to present a fake one to the possible attackers."
They have also contacted a number of the FHSs they tested, and urged them to patch the flaws. Some already did, and others are working on it, but one decided not to change anything so that the performance of its database server isn't negatively affected. Unfortunately, the researchers didn't disclose the names of the tested services.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.