Friday, June 14, 2013

Cloud file-sharing vulnerability

Picture this scenario: A "cloud" filesharing service, backed by some well-known investors and in the business for a few years, provides a service that allows clients to share files and folders with others.

UserA sends a folder to UserB with no password security (default setting). The link arrives in an email as:

https://companyXYZ.unknown-filesharing-company.com/asdf.php?folderName=20130201&fileName=asdfasdf222

UserB visits the link. The parameters for the POST following the GET for that link look like:

POST /publicPage.json HTTP/1.1
start=0&limit=1000&sort=f_name&dir=ASC&pubFolderPath=%2FShared%2FDocuments%2FSharedFolderName&userId=43211234&entryId=12ab34cd….&xsrfToken=321cba…