Public bug reported:
Binary package hint: ubuntuone-client
When publishing files via ubuntuone it looks like the urls are assigned in a
consecutive order (Aaa, Aab, Aac,...). I don't think this is a good idea. They
should contain some kind of randomness. Just by trying some addresses I was
able to download some files containing possibly sensitive data.
And it would be easy to write a script that downloads many files enabling me to
get a specific file only by knowing that it was published but without the exact
address.
Just imagine a possible scenario: I get the information that my boss
uses ubuntu one to get an important paper to somebody else. With a
little knowledge when it was published it is easy to guess the adress
and get the file without even knowing the filename. I know ubuntuone is
not a high-security-service but the seemingly cryptic URL and the the
fact that other filehosters like rapidshare or megaupload are using
randomized addresses gives the user a false impression of security.
** Affects: ubuntuone-client (Ubuntu)
Importance: Undecided
Status: New
--
publish url should not be guessable
https://bugs.launchpad.net/bugs/611015
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
