Q
Q
Qeinzo2022-04-02 12:12:31
Information Security
Qeinzo, 2022-04-02 12:12:31

Is it normal for files to be accessed by unauthorized users via a link?

My company works with a major supplier of technical equipment. Between ourselves, we exchange documents and scans on the corporate website of the supplier. I noticed that on this site a long link is formed for files from a bunch of characters. This link is available even to an unauthorized user.

Tell me, is it normal practice to keep such files available via a link? I understand that they are not indexed and are unlikely to be available for parsing, but still.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
S
SKEPTIC, 2022-04-02
@Qeinzo

The link itself is unlikely to be picked up by anyone.
There is another problem. This is the access of unauthorized persons to documents. The link may be leaked in some way, or it may be transmitted by an employee through a compromised communication channel. It may be that the employee sends this link through his social network account to himself, but the account is later hacked and the document leaks.
Therefore, there are at least 2 solutions:
1. Access to the document after authorization (the user logs in to his personal account and already has access to the files available to him)
2. Access via a "long" link with a time limit (this is already in fact, they are crutches, but they are used in many places. In the same s3, you can get a temporary link. It can have a garter by ip and anything else)

N
nApoBo3, 2022-04-02
@nApoBo3

The only question is the level of access to the relevant documents. If there are restrictions on access, then no, it is not normal, if there are no restrictions, then yes, it is normal. The threat model does not provide for the closure of a threat through concealment.

C
calculator212, 2022-04-02
@calculator212


Tell me, is it normal practice to keep such files available via a link?
Not normal at all, but as mentioned above, if these documents do not give anything to the attacker or do not represent any value, then in general it is not very unimportant. But if there is important data there, then at least make an authorization.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question