2

I have recently had to submit a number of confidential PDF documents to a website. These documents contain more than enough information to use in identity theft, and I can conceive how others using the same site would upload even more information.

When viewing these documents back through the website, I noticed that the method of protecting the content from unauthorised access is to use a long, apparently random string:

https://eu-apps.groupdocs.com/document-viewer/Embed/52e0810668cb44883d39448d57f11dc26ab3a9322ee6ce6217349ba10cef914a

I also note that this content is susceptible to sslstrip type attacks i.e. http can be used instead of https if forced using a MITM.

The lack of genuine access control to the document concerns me. Browser history, link sharing, sniffing if http is used; these all leak the document and how to access it.

There is already a question and response along these lines "Are random URLs a safe way to protect profile photos?", however, in this instance:

  • The asset is information that could lead to identity theft, rather than a profile picture.
  • A profile picture should be accessible by many others in most cases (at least anyone else signed into the same website, at most everyone). The documents in this case should at most be visible to three parties and be private from everyone else.
  • There is an attempt to conceal the URL using https which can easily be subverted.
  • The specific application is for independent adjudication is tenancy deposit disputes. The only parties who should see the documents are the tenant, landlord and adjudicator.

Is this considered adequate security?

Cybergibbons
  • 1,201
  • 2
  • 9
  • 21
  • Possible, yes. Though the thing being protected is very different. – Cybergibbons Mar 15 '15 at 10:08
  • Edited question for clarity. – Cybergibbons Mar 15 '15 at 10:17
  • Well, if u want to prevent https from being subverted or downgraded such as in MITM, set the HSTS header, that will prevent this. Recommend it to the web app in question. – racec0ndition Mar 15 '15 at 11:18
  • You don't clarify if the site you are accessing has applied access control measures prior to accessing the document. if an authentication token is present and you access the page and served via secure connection it would be less of an issue – Greg Mar 15 '15 at 13:35
  • The site where the links are presented is another site entirely. There is no authentication or access control between the two - just the links on the other site to these documents. – Cybergibbons Mar 15 '15 at 14:18
  • If there are no other controls and the user is aware of precautions as stated in other comments it is adequate assuming an attacker would need to guess the uuid, if it is truely random and not deterministic, to access the document. It is also dependant on the logging she auditing that takes place, how long the document remains accessible, if the documents are indexed by search engines and effort required to gain access to this information. – Greg Mar 15 '15 at 14:24

1 Answers1

1

I would say: A long random url is essentially a password. So its still a adequate access Control.

Compare for example going to http://www.example.org/login.php and typing username=admin password=somelongrandompassword, or simply going to http://www.example.org/login.php?login=admin-somelongrandompassword

Yes, there is some attack methods that did not initially exist if a normal login would have been used, for example poking in browser history, link sharing and so on.

But you as a end user must be cautionous too, and understand to not:

  • use the website from a publicity accessible computer. (or ensure its a computer designed to "reset" each session so any sensitive information in cache, history and cookies are cleared)
  • not share the link with unauthorized persons.
  • Watch out if the SSL indicator is not present.

And of course, the administrators who requested you to submit the documents (which uses the documents in one way or Another) must perform the same care, but I Think the administrators are well aware that the links contain the authentication information for accessing the documents.

sebastian nielsen
  • 8,799
  • 1
  • 19
  • 33
  • If considering it a password, then isn't it a bad idea as everyone accessing the document has the same password? – Cybergibbons Mar 15 '15 at 10:20
  • No, as long as password is document-unique and not account-unique. Note that normally, cloud-hosted solutions rarely have access logging, so a unique account per user would still not gain anything in auditability compared to "one account per document" model. However, if the url is account-unique, it would be possible to access all documents belongning to a specific user even if you only were given one single document. – sebastian nielsen Mar 15 '15 at 10:26
  • What does "cloud based" mean in this context? – Cybergibbons Mar 15 '15 at 10:31
  • That its a third-party solution. In many contexts, SaaS does rarely have access logging. Yes, the solution have "back-end" logs, but those are not generally available to the "customer" of the service (eg, the one paying for the service). – sebastian nielsen Mar 15 '15 at 10:33
  • Is audit-ability concern though? The URL is unique per document but there is no concept of account in the system. – Cybergibbons Mar 15 '15 at 11:05
  • I mean, if I see a password being sent as a GET or unencrypted POST, that's a serious issue to me. Trying to work out why this is different. – Cybergibbons Mar 15 '15 at 11:06
  • There is accounts in the system for the administrator what I can see, but as the URLs are document-specific (knowing url of document 1 does not give you access to document 2), the system are completely secure. If the page which SERVES the links, is served over forced HTTPS, you are completely safe from sniffing, since even if the HTTPS is not forced on the groupdocs site, the links will not be transferred in cleartext Before you click on them, thus you can avoid compromise by not clicking the links when on a insecure network (for example, wifi). – sebastian nielsen Mar 15 '15 at 18:27