Exposing the Lack of Privacy in File Hosting Services
Source: Katholieke Universiteit Leuven
File Hosting Services (FHSs) are used daily by thousands of people as a way of storing and sharing files. These services normally rely on a security-through-obscurity approach to enforce access control: for each uploaded file, the user is given a secret URI that she can share with other users of her choice. In this paper, the authors present a study of 100 file hosting services and they show that a significant percentage of them generate secret URIs in a predictable fashion, allowing attackers to enumerate their services and access their file list. The authors' experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users.