Spideroak HUGE Security Flaw

wt6g · #1 18th February 2011, 03:58 PM

I've evaluated about 15 offline storage systems this week, and one of the best was spideroak, but there's a huge issue in their shared folder structure and procedure.

When you make part of your data shareable you MUST share a folder from your original disk. This is a real pain. You cannot share specific files like you can on many others.

To initiate sharing your establish your unique username for sharing (different preferably than your spideroak username) the share name, and the room key (password).

While you might expect the share name to be part of the URL that guides you to the share which then accepts your password for access, thats not how it works. Instead spideroak gives you a URL that contains the PASSWORD and does not even mention the share name!!

Therefore anyone you give the URL to has direct access to the share you create (which is what you are trying to accomplish in general) but any browser THEY USE will remember the URL which contains the password, not the share name.

THIS IS A HUGE SECURITY ISSUE since you have no control over how an authorized user is going to access your data and from where and most users are not sophisticated enough to guard against the default intrusion they are going to leave behind.

I've brought this to the attention of their support team with no response as yet.

/Len

spideroak · #2 18th February 2011, 05:13 PM

FYI - SpiderOak ShareRooms aren't designed with passwords, but rather just secret URLs (that's the "Room Key".) Basically, anyone who knows the URL can access the share room. This is not a security flaw but by design.

All of spideroak.com is HTTPS, and Share Rooms aren't indexed by search engines, so the URLs basically are only known to whoever the author shares them with.

Aside from the ease of use of just being able to share a link, one of the reasons to just protect them with a secret URL instead of password auth is for easier interoperability with RSS feeds.

Also, there is the option for single file sharing. There's a "www" button on the View tab you can use for a one-time shared copy of any file (that file is decrypted and put in a holding area for 3 days, when the one time URL expires.)

jimwormold · #3 23rd May 2011, 10:05 AM

Hi

I am confused. I was under the impression that files were encrypted locally, and uploaded to spideroak. How then can these files be shared without sharing the original password used to encrypt them?

Jim

spideroak · #4 29th June 2011, 11:22 PM

Quote:

Originally Posted by jimwormold

Hi

I am confused. I was under the impression that files were encrypted locally, and uploaded to spideroak. How then can these files be shared without sharing the original password used to encrypt them?

Jim

You are absolutely correct. For the purpose of sharing the chosen files/folders only are decrypted using the client's security token.

All other data stay encrypted during this process and as soon as a shared folder/file expires or is disabled by the user, the shared data is again included in the encrypted data set.

I hope this answers your question!

Best,
Daniel @ SpiderOak Inc