Thursday, March 17, 2011

Exposing the Lack of Privacy in File Hosting Services

The (in)security of File Hosting Services

Abstract
File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files.These services normally rely on a security-throughobscurity approach to enforce access control: For each uploaded file, the user is given a secret URI that she can share with other users of her choice.In this paper, we present a study of 100 file hosting services and we show that a significant percentage of them generate secret URIs in a predictable fashion,allowing attackers to enumerate their services and access their file list. Our experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users. Using a novel approach, we also demonstrate that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users’files. Finally we present SecureFS, a client-side protection mechanism which can protect a user’s files when uploaded to insecure FHSs, even if the files end up in the possession of attackers.

Download: PDF

No comments: