[Invalid] A Very Serious Security and Privacy Bug of Zotero?

shermanfang

Just by accident, I find that anyone can download a private personal file without the login credentials. For example, please try the following link, it is a sample file I uploaded into Zotero server under my account:

https://files.zotero.net/11350724611/pdf.pdf

I have double checked my privacy setting, and I am sure I have not check the "Publish entire library".

So in this case, by brute force attack and try different ID and file name, all the files on the Zotero server is open to the public......

I hope this is not true ...

bwiernik

That is not correct. Those links only work when logged in to an account with access to the file.

(Please don't post the same message multiple times in different places. It is very confusing.)

shermanfang

As you said, the link return 404 later.

But if you repeat this procedure, you will found you can download the file without login:

1. open a attached file from your online libary in your browser and copy the link;
2. log off your account (or you can even change a browser, for example, IE which I rarely use).
3. Paste the link and the file will be downloaded.

But after sometime, the same link will return 404. I don't know the mechanism, but I every time I do the above steps, I can download file without login.

shermanfang

Check the screen shoot:

http://oi63.tinypic.com/2e0s8ye.jpg

the above screen shoot shows I am logged out and paste in the link. After press enter, file is downloaded:

http://oi63.tinypic.com/2eznvcj.jpg

fbennett

I tried the steps you listed, and I consistently get a 404 on that file. If you originally had access to it before logging out, your browser may have a cached copy; but I don't see any evidence that there is a security hole in the Zotero service that allows third-party access to content without authentication.

shermanfang

Thanks for fbennett's information. As you suggested, I clear all my chrome cache, and use "disable cache" mode in development mode. I still can repeat my result.

I will keep on finding the reason of this case.

shermanfang

I think I had find the reason, the Zotero seems to use a dynamic address for the file.

For example, for the same file stored in the online library, when I first open it in browser, the link will be:

https://files.zotero.net/7435981033/pdf.pdf

Then I go back to library and browse some other file. When I later come back to the same file, the link will change to (after ~ 1 min):

https://files.zotero.net/10820015236/pdf.pdf

And after I goto some other file and come back later again and again, the same file will have different address such as:

https://files.zotero.net/8706892233/pdf.pdf

and

https://files.zotero.net/12344122204/pdf.pdf

If one have the link within the 1 min time interval, it can be downloaded without the login credentials. But since the link is dynamic, I think it will not be a serious security bug as I expected at first.

dstillman

Yes, this is by design, and not a security bug.

The files.zotero.net links are unauthenticated, but the path is randomly generated, and the links expire after 2 minutes.

The link is generated only from an authenticated session on www.zotero.org after checking permissions.

Since all access is via HTTPS, someone sniffing the connection would not be able to see the URLs being accessed.

So unless you share a files.zotero.net URL with someone, and unless they access it within two minutes, there's no way for people to access your private files.