File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files. These services normally rely on a security-throughobscurity approach to enforce access control: For each uploaded file, the user is given a secret URI that she can
share with other users of her choice. In this paper, we present a study of 100 file hosting services and we show that a significant percentage of them generate secret URIs in a predictable fashion, allowing attackers to enumerate their services and access their file list. Our experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users. Using a novel approach, we also demonstrate that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users'files. Finally we present SecureFS, a client-side protection mechanism which can protect a user's files when uploaded to insecure FHSs, even if the files end up in the possession of attackers.
Exposing the lack of privacy in file hosting services
LEET 2011, 4th Usenix Workshop on Large-Scale Exploits and Emergent Threats, March 29th, 2011, Boston, USA
Type:
Conférence
City:
Boston
Date:
2011-03-29
Department:
Sécurité numérique
Eurecom Ref:
3349
Copyright:
Copyright Usenix. Personal use of this material is permitted. The definitive version of this paper was published in LEET 2011, 4th Usenix Workshop on Large-Scale Exploits and Emergent Threats, March 29th, 2011, Boston, USA and is available at :
See also:
PERMALINK : https://www.eurecom.fr/publication/3349