Jack Recider

Yeah. But it's a backdoor in a way that I never thought it would be a backdoor, right?

Yeah. But it's a backdoor in a way that I never thought it would be a backdoor, right?

Nope, just a share link. Oh, yeah. It gives you a total different perspective of what a backdoor even is.

Nope, just a share link. Oh, yeah. It gives you a total different perspective of what a backdoor even is.

I'm just sitting here thinking about this, letting it sink in. A backdoor is built into all the file sharing sites like Box.com, Google Drive, iCloud, Proton Drive, Dropbox, whatever. Because if there exists a shared folder link, anyone with that link can see into that folder. It's a feature of the site itself. You can't take that away or it ruins the point of the site.

I'm just sitting here thinking about this, letting it sink in. A backdoor is built into all the file sharing sites like Box.com, Google Drive, iCloud, Proton Drive, Dropbox, whatever. Because if there exists a shared folder link, anyone with that link can see into that folder. It's a feature of the site itself. You can't take that away or it ruins the point of the site.

And what you think is yours and private really isn't if there are public links to it. When you make something shareable and you say, only people with this link can see this file, it feels like this is still private, but it's not. It's security through obscurity. Your link is hidden, but not secure. And if that link gets out, it's viewable by anyone without a username or password.

And what you think is yours and private really isn't if there are public links to it. When you make something shareable and you say, only people with this link can see this file, it feels like this is still private, but it's not. It's security through obscurity. Your link is hidden, but not secure. And if that link gets out, it's viewable by anyone without a username or password.

And I've been doing cybersecurity for decades and nobody is talking about auditing Dropbox links to make sure only the stuff that should be public is public. Because every file and folder may have that option and going through them all is simply unreasonable to do by hand.

And I've been doing cybersecurity for decades and nobody is talking about auditing Dropbox links to make sure only the stuff that should be public is public. Because every file and folder may have that option and going through them all is simply unreasonable to do by hand.

And when you're moving at the speed of business, nobody's going back to clean up or check what folders have sharing links or what don't. I say it's best to treat everything on your cloud storage as if it is publicly accessible and only temporarily put things up there if you want to share it with someone privately and then remove it as soon as they get it.

And when you're moving at the speed of business, nobody's going back to clean up or check what folders have sharing links or what don't. I say it's best to treat everything on your cloud storage as if it is publicly accessible and only temporarily put things up there if you want to share it with someone privately and then remove it as soon as they get it.

I also want to draw your attention to websites like urlscan.io. This is a site that is attempting to look at URLs to see if they're safe or malicious. But users can go there and search the site to see what URLs are in the database. And sometimes you can find URLs that probably shouldn't be in the public, but they are.

I also want to draw your attention to websites like urlscan.io. This is a site that is attempting to look at URLs to see if they're safe or malicious. But users can go there and search the site to see what URLs are in the database. And sometimes you can find URLs that probably shouldn't be in the public, but they are.

Imagine if you take a photo of your kid and it's on Google Drive, but then you want to create a link to show it to grandma. And you specifically say, only people with this link can see this photo. And you email the link to grandma. Well, then grandma has some browser plugin that examines all the links to make sure they're safe to click.

Imagine if you take a photo of your kid and it's on Google Drive, but then you want to create a link to show it to grandma. And you specifically say, only people with this link can see this photo. And you email the link to grandma. Well, then grandma has some browser plugin that examines all the links to make sure they're safe to click.

So when this link gets examined somewhere, bingo, bango, suddenly that link to your kid's birthday party is now floating around on the internet in all kinds of databases, being clicked on by who knows who. URL scan collects links like that. Hybrid analysis is another tool. Cloudflare Radar URL scanner is another. Not to mention, DNS providers all over the world are logging things too.

So when this link gets examined somewhere, bingo, bango, suddenly that link to your kid's birthday party is now floating around on the internet in all kinds of databases, being clicked on by who knows who. URL scan collects links like that. Hybrid analysis is another tool. Cloudflare Radar URL scanner is another. Not to mention, DNS providers all over the world are logging things too.

It's not just Google Drive and Dropbox. There are tons of other online storage websites that you could look for. iCloud, Box.com, Sync, Ignite, IONOS, Hydrive, AWS S3 Buckets, Proton Drive, and so many more. The list goes on and on. So the data is available. It's just a matter of sifting through it to find something juicy.

It's not just Google Drive and Dropbox. There are tons of other online storage websites that you could look for. iCloud, Box.com, Sync, Ignite, IONOS, Hydrive, AWS S3 Buckets, Proton Drive, and so many more. The list goes on and on. So the data is available. It's just a matter of sifting through it to find something juicy.