Earlier this month we were alerted to and identified a potential security issue with how we store files that clients upload to the system, as well as files we generate for clients to download. Once this issue was identified we immediately started applying measures across the system to address it.
What was the issue?
In extremely unlikely cases it would be possible to guess filenames of files and be able to access them. The odds of this very extremely low, but we didn’t let that stop us from rushing out a fix to remedy this.
How are we fixing this?
This fix is two fold:
All files uploaded by customers now have a randomized filename, this makes it basically impossible to guess
All files in the system require authorization to view and the links expire in less than 5 minutes
This deals with the problem on two levels:
It is extremely difficult to guess the filenames
Even if you were to somehow able to guess the correct filename, you still will not be able to access it without the link having a special signature attached.
A bit of technical background; We use Amazon’s S3 service for handling all these files. They already have an awesome industry tested system for this. The signatures are tamper proof, you can’t use a signature from one link with another, it looks like gibberish and it changes based on just about anything to do with the link, including the url and the expiry time.
This makes it doubly impossible to ever guess files in the system, since even a correct guess still requires authentication to access.
How are we preventing this from happening again?
We have revised our policies in regards to how we store client uploaded files and files we generate for clients to enforce the randomization and protections by default.
All these changes have already been applied across all aspects of our system and no potentially vulnerable files remain.