The Safe (and Unsafe) Ways to Use Public Links for Collaboration
Earlier this week security firm Adversis published an article that exposed a vulnerability with a consumer-grade file sharing provider, which was created by the use of public links. For those who may not be familiar, many content collaboration solutions allow users to create links to one or more files or folders that can easily be shared internally or externally via text, email, social media, etc. (more info on links).
Adversis utilized standard intelligence gathering techniques and a relatively large wordlist to execute an attack on that provider’s subdomains, looking for any public links they could find - specifically ones with sensitive information.
Adversis was successful in their efforts, finding hundreds of thousands of documents and terabytes of data exposed for public consumption. Those documents included passport photos, social security numbers, financial documents, intellectual property, and much more.
Naturally this caused a wave of panic, not just for the 90+ businesses that were affected, but for any business who utilizes link sharing to collaborate. Our team at Egnyte received a number of calls and emails from our customers, partners, and prospects, concerned about their risk of exposure due to the use of public links. The most common questions being:
- “Are public links unsafe to use?”
- “If we used public links, is our data exposed?”
- “Should we disable public links for our entire company?”
- “What do we do next?”
These were all great questions given the volume of coverage and the gravity of the situation. With Egnyte Connect, our content collaboration solution, all links are protected from the beginning. Egnyte Connect links utilize a randomly generated 10 character link, which creates roughly 840 quadrillion combinations per customer. Even with the most sophisticated system that could test millions of URLs a day (which we would notice and block), it would be nearly impossible to find any links even if you ran it for years. Therefore, your data is not necessarily exposed when using public links and you do not need to disable public links for your entire company.
Your business and your users should feel comfortable utilizing public links in a number of different scenarios. Whether you want to share photos of a recent event with the public on social media or maybe there is a new ad campaign that has gone live and you want to make sure internal and external stakeholders have access to it - both are great use cases for public links.
There are also often times when you need to deploy additional protection when dealing with sensitive information. Egnyte’s content platform has an array of security features that users and administrators can leverage to provide that extra layer of security and privacy. We highly recommend the following features to our Egnyte Connect customers when using links to collaborate:
Link Passwords - A link password can be customized or a random one can be generated for any piece of content you would like to share. If a link ends up in the wrong hands a password will ensure that they still cannot access the file.
Link Expiration Dates - Expiration dates can be applied to links both in the form of time and in the form of clicks. This ensures that a viewer only has a set window of opportunity to view a piece of content, whether it is 8 hours or 8 clicks.
Link Disabling - Some files or folders may be deemed particularly sensitive and the administrator can disable the creation of public links for that content. If the administrator is extremely protective over any specific file or folder, they can disable link creation altogether.
Link Notifications - Users and administrators can choose to be notified when and where a link is accessed. This way they have complete visibility into who is seeing the links that are being shared.
Default Link Types - If your business wants all links to be password protected or have an expiration date, the administrator can create a default link setting as the standard for all users.
That being said, there are still a few ways that users can make using public links unsafe and put your business at risk. Here are a few things we recommend that users should not do when utilizing public links for collaboration:
- Do not use public links for files with sensitive information (SSNs, credit cards, PII, etc.)
- Do not share public links via websites, message boards, social media, etc. unless intended or approved to do so
- Do not share public links via third party applications that have access to your data
We pride ourselves on working with our customers to understand their use cases and provide the proper guidance for utilizing links when collaborating. We understand that not all content is created equal and that every scenario can present a different challenge. If there is something we didn’t cover here regarding the use of links or you have any questions about secure collaboration, please feel free to contact our customer success team at csmteam@egnyte.com. You can also visit the Egnyte Community for more information as well.