At first, the thing I will write today about
in short is not something new that I and only I came up with (since I am not some security research dude, I am just a common .NET dev), its something that has a lot of articles about (and its funny that some articles are perhaps 3 years old) :
and tech savvier users are using a lot (without even realizing) and that is :
copy over URL of image from lets say G+ and posting it over to FB, or getting the URL of some resource as such.
Go to your G+ feed, flick on an image, right click image and click on Copy image location (this time in FireFox) :
So you have URL like this (this is the image above): https://lh3.googleusercontent.com/-FkqW7ThbMcc/UP0Y7RRyTgI/AAAAAAAAUtA/KElCS3OUSIY/s800/599597_10151267147710219_2139233647_n.jpg
Its long and cryptic but its a URL and once you have it, you have the absolute position of image in Google’s cloud storage (btw this is how it works in general, also for Facebook CDN).
Its logical, files have to be stored somewhere, so you can access them (download them). But here comes trouble:
All of these big players are using CDNs – Content Delivery Networks. Using CDN is design decision and for each decision there is a price to pay. CDNs are dedicated machines that have only one purpose : serve content and serve it fast. You can picture them as warehouse stuffed with data. But without a map (or at least no public map, but there are some servers that index some type of URLs everywhere, like rapidshare files, etc.). When you have precise address of what you need, they will give this to you and since they are optimized for speed, data is cached and no cookies are sent back and forth so user in fact can’t be recognized and NO security decision is made whatsoever about if CDN should give you the content or not (this is true for solution from FB and Google, not for Microsoft, I will show you later). The logic behind if you should see some posts or content is made elsewhere, in the layer that sends you the HTML for your browser. You decide, to whom should these URLs will be revealed, BUT once someone will copy these and give them to someone else, then you are in trouble, he can access them and as I found out on Facebook, my image is there also after I deleted it, will see how long that will take to remove it completely. (and yes, of course even when this wouldn’t apply, someone could just copy images to his HDD and misuse them in any way).
So this is what I have found out about particular pages. I have chosen to dig deeper on 3 of those, on Facebook, Google Drive and on SkyDrive. I did my test with image, since I can only upload image to Facebook’s CDN so far and my investigation started with images and their security. (One might disagree on sites that I have chosen to compare, but I just want to elaborate more on security of place where the actual content is stored), I don’t want to harm any of these pages and I am also no trying to convince you about which one to use. However I personally understand why Facebook made his choice, but I don’t understand why Google Drive doesn’t have better security checks, since I don’t think there will be big load on files you want to share with colleagues, etc unless you are some celebrity or something.
Facebook stores its data on URLs like these ones :
There are no cookies (extra load) transferred with the request and there is no security check on these URLs, you are free to send them to whoever you see fit
- You even doesn’t have to be logged into Facebook to see content, since this is different domain then Facebook.
- No security rules apply to these links, try to set it to only me, link still works for everybody.
How to get to the URL of image: just right click it and “Copy image location”.
Deletion of image: even I have removed my image, its still there on the CDN, try this link (image was uploaded as private, then deleted today 21.1.2013 +-10CET):
However one of the posts in the beginning of this article says about some timeout for deletion of images, I will update the article once image will be removed.
Google stores files on URLs like this one :
Google drive and Google Plus and as far as I know Gmail, they all use same CDN to store our files. So what I did was, I uploaded image only for me and investigated on URL. Google made a small maneuver to trick user and that is, there is a div above the image with class name : tm-image-glass. So when you right click on an image, you don’t have “Copy image URL”. Anyway the don’t have this on Google Plus (you can right click and have the URL instantly).
Here you can see the request :
Same thing, file is served from URL I have found in Google Drive page, no cookies, no security, no restrictions. You don’t have to be logged to Google account. Why this decision, hard to say.
Deletion of image: Once the image is moved to bin, user will be replied with 403 error page, which is desired behavior. After I restored it, it was back online.
How to get to the image URL: little bit harder, you have to ding into the HTML like this :
Microsoft is also using dedicated CDN machines and image URL looks like this one :
SkyDrive the answer from Microsoft to all these cloud storage apps that came recently (same as Drive from Google). The intention is not to host just images, but also documents, etc. SkyDrive is checking who are you, when you want to access the image and will refuse give it to you, when you are not logged in with credentials of user, you gave permission to (I tried to log in with different account and that was just not enough).
However there is a price to pay:
And that is : cookies, cookies, lots of cookies, cookies everywhere!
Cookie monster would be happy.
I have also encountered some things that maybe shouldn’t be there, like X-MSNServer name :
or some 404s:
That really shouldn’t happen in production guys.
Deletion of image: when I removed the image, I had 404 from the server, after I restored it, it had same URL and I was able to access it.
How to get to the image URL: just dig deep in the HTML, its there:
There is no native right click menu of the browser, there is only customized menu from SkyDrive.
So the outcome/state, as I see it right now (21.1.2013) :
Facebook and Google Drive are using fast unsecured URLs, SkyDrive slower but secured (the are checking the cookies). The state might change, anyone can upgrade their systems and I hope that will happen sooner than later.
If you have any other findings, more information or you think I have missed some spot there, please feel free to comment or extend this article in any way. Thank you.