Fedora Linux Support Community & Resources Center
  #1  
Old 18th February 2011, 04:58 PM
wt6g Offline
Registered User
 
Join Date: Jun 2005
Posts: 179
linuxfedoraseamonkey
Spideroak HUGE Security Flaw

I've evaluated about 15 offline storage systems this week, and one of the best was spideroak, but there's a huge issue in their shared folder structure and procedure.

When you make part of your data shareable you MUST share a folder from your original disk. This is a real pain. You cannot share specific files like you can on many others.

To initiate sharing your establish your unique username for sharing (different preferably than your spideroak username) the share name, and the room key (password).

While you might expect the share name to be part of the URL that guides you to the share which then accepts your password for access, thats not how it works. Instead spideroak gives you a URL that contains the PASSWORD and does not even mention the share name!!

Therefore anyone you give the URL to has direct access to the share you create (which is what you are trying to accomplish in general) but any browser THEY USE will remember the URL which contains the password, not the share name.

THIS IS A HUGE SECURITY ISSUE since you have no control over how an authorized user is going to access your data and from where and most users are not sophisticated enough to guard against the default intrusion they are going to leave behind.

I've brought this to the attention of their support team with no response as yet.

/Len
__________________
Len Umina
El Dorado Hills, CA
WT6G
Reply With Quote
  #2  
Old 18th February 2011, 06:13 PM
spideroak Offline
Registered User
 
Join Date: Feb 2011
Posts: 2
windows_7firefox
Re: Spideroak HUGE Security Flaw

FYI - SpiderOak ShareRooms aren't designed with passwords, but rather just secret URLs (that's the "Room Key".) Basically, anyone who knows the URL can access the share room. This is not a security flaw but by design.

All of spideroak.com is HTTPS, and Share Rooms aren't indexed by search engines, so the URLs basically are only known to whoever the author shares them with.

Aside from the ease of use of just being able to share a link, one of the reasons to just protect them with a secret URL instead of password auth is for easier interoperability with RSS feeds.

Also, there is the option for single file sharing. There's a "www" button on the View tab you can use for a one-time shared copy of any file (that file is decrypted and put in a holding area for 3 days, when the one time URL expires.)
Reply With Quote
  #3  
Old 23rd May 2011, 10:05 AM
jimwormold Offline
Registered User
 
Join Date: May 2011
Posts: 1
windows_xp_2003firefox
Re: Spideroak HUGE Security Flaw

Hi

I am confused. I was under the impression that files were encrypted locally, and uploaded to spideroak. How then can these files be shared without sharing the original password used to encrypt them?

Jim
Reply With Quote
  #4  
Old 29th June 2011, 11:22 PM
spideroak Offline
Registered User
 
Join Date: Feb 2011
Posts: 2
windows_7firefox
Re: Spideroak HUGE Security Flaw

Quote:
Originally Posted by jimwormold View Post
Hi

I am confused. I was under the impression that files were encrypted locally, and uploaded to spideroak. How then can these files be shared without sharing the original password used to encrypt them?

Jim
You are absolutely correct. For the purpose of sharing the chosen files/folders only are decrypted using the client's security token.

All other data stay encrypted during this process and as soon as a shared folder/file expires or is disabled by the user, the shared data is again included in the encrypted data set.

I hope this answers your question!

Best,
Daniel @ SpiderOak Inc
Reply With Quote
Reply

Tags
security, spideroak

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Adobe Reader security flaw? WNorfleet Security and Privacy 2 25th February 2009 06:14 PM
yet ANOTHER IE security flaw tejas Wibble 16 26th August 2005 12:35 PM
Image flaw pierces PC security zjimward Security and Privacy 2 8th August 2004 02:57 AM


Current GMT-time: 04:49 (Sunday, 21-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
...Tahiti Village - Dataran Senawang, Seremban Instagram Photos - Starbucks Deutschland Travel Photos on Instagram - Old Red Museum Photos