Thursday, March 17, 2011

Exposing the Lack of Privacy in File Hosting Services

The (in)security of File Hosting Services

File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files.These services normally rely on a security-throughobscurity approach to enforce access control: For each uploaded file, the user is given a secret URI that she can share with other users of her choice.In this paper, we present a study of 100 file hosting services and we show that a significant percentage of them generate secret URIs in a predictable fashion,allowing attackers to enumerate their services and access their file list. Our experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users. Using a novel approach, we also demonstrate that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users’files. Finally we present SecureFS, a client-side protection mechanism which can protect a user’s files when uploaded to insecure FHSs, even if the files end up in the possession of attackers.

Download: PDF

No comments: