Researchers DistriNet prove privacy gaps of File Hosting Services

File hosting services (FHS) -like RapidShare and EasyShare - are used by thousands of people every day. They allow users to store and share files with a limited group of people. Every file gets a unique identifier assigned by the FHS and the user receives it as a secret URI (Uniform Resource Identifier). This URI can then be used to send the file to others.

Now researchers of the DistriNet research group discovered gaps in the system.

DistriNet is part of the Security department of IBBT that conducts research to secure ICT systems and applications in Flanders. In cooperation with the Institut Eurecom they demonstrated that FHS's are not as safe as thought: the FHS's often generate very predictable URI's so that unauthorized third parties can provide themselves access to the files.

The researchers wrote a paper on their findings. In this paper they present their research of 100 file hosting services and they demonstrate that the matching URI's are predictable and therefore unsafe. Files often get assigned ordinary sequential identifiers, and even the randomly generated identifiers were often too weak.

Using 'honeyfiles' (files with apparent interesting information) they prove that malicious people are already aware of these gaps in privacy and they take advantage of it.

Besides, the researchers also suggested SucureFS: a protection mechanism that allows users of unsafe FHS's to protect their files, even if they are already in possession of 'attackers'. The researchers published their results as part of the '4th USENIX Workshop on Large-Scale Exploits and Emergent Threats'.

The research was funded by the Belgian Government, IBBT, the KU Leuven and the European Union.

More information about the IBBT Security Department.