Online storage services are not as secure as they claim to be, according to researchers.
Private files stored on cloud sites could be easily accessed by attackers, warned academics from the Katholieke Universiteit Leuven in Belgium and France's Institute Eurecom, after examining 100 file hosting services.
The researchers found that a “large percentage” of file-hosting services generated unique Uniform Resource Identifiers that were too predictable and easy to crack.
“While these services claim that these URIs are secret and cannot be guessed, our study shows that this is far from true," the report said. "A significant percentage of file-hosting services generate the 'secret' URIs in a predictable fashion, allowing attackers to easily get access to content that was uploaded by other users."
According to the researchers, one easy method for finding private documents involved uploading a series of test files to the services, and noting the IDs for each file.
With this information, the researchers said a hacker could easily work out the identifiers for earlier files posted by other people.
“The privacy provided by 20 service providers was extremely weak, relying only on a sequential ID to protect the users’ uploaded data,” the report said.
“Unfortunately, the problem is extremely serious since the list of insecure file hosting sites using sequential IDs also includes some of the most popular names.”
The report didn't point the finger at any service in particular, but name checked RapidShare, FileFactory and Easyshare in the damning document.
During a month's testing, the researchers said they were able to extract more than 168,000 private files.
Often these vulnerabilities are merely academic possibilities, but according to the researchers, attackers are already targeting the weak sites, an assertion which they proved by posting honey-trap files to the host sites and monitoring how often they were accessed.
The researchers said that over only one month, users from over 80 unique IP addresses had accessed their supposedly private bait files.
The planted files were loaded with fake credit card details and accessed a total of 275 times across seven different file hosting sites, the report said.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
