[Invalid] A Very Serious Security and Privacy Bug of Zotero?

Just by accident, I find that anyone can download a private personal file without the login credentials. For example, please try the following link, it is a sample file I uploaded into Zotero server under my account:

https://files.zotero.net/11350724611/pdf.pdf

I have double checked my privacy setting, and I am sure I have not check the "Publish entire library".

So in this case, by brute force attack and try different ID and file name, all the files on the Zotero server is open to the public......

I hope this is not true ...
  • edited April 2, 2016
    That is not correct. Those links only work when logged in to an account with access to the file.

    (Please don't post the same message multiple times in different places. It is very confusing.)
  • As you said, the link return 404 later.

    But if you repeat this procedure, you will found you can download the file without login:

    1. open a attached file from your online libary in your browser and copy the link;
    2. log off your account (or you can even change a browser, for example, IE which I rarely use).
    3. Paste the link and the file will be downloaded.

    But after sometime, the same link will return 404. I don't know the mechanism, but I every time I do the above steps, I can download file without login.
  • edited April 2, 2016
    Check the screen shoot:

    http://oi63.tinypic.com/2e0s8ye.jpg

    the above screen shoot shows I am logged out and paste in the link. After press enter, file is downloaded:

    http://oi63.tinypic.com/2eznvcj.jpg
  • edited April 2, 2016
    I tried the steps you listed, and I consistently get a 404 on that file. If you originally had access to it before logging out, your browser may have a cached copy; but I don't see any evidence that there is a security hole in the Zotero service that allows third-party access to content without authentication.
  • Thanks for fbennett's information. As you suggested, I clear all my chrome cache, and use "disable cache" mode in development mode. I still can repeat my result.

    I will keep on finding the reason of this case.
  • I think I had find the reason, the Zotero seems to use a dynamic address for the file.

    For example, for the same file stored in the online library, when I first open it in browser, the link will be:

    https://files.zotero.net/7435981033/pdf.pdf

    Then I go back to library and browse some other file. When I later come back to the same file, the link will change to (after ~ 1 min):

    https://files.zotero.net/10820015236/pdf.pdf

    And after I goto some other file and come back later again and again, the same file will have different address such as:

    https://files.zotero.net/8706892233/pdf.pdf

    and

    https://files.zotero.net/12344122204/pdf.pdf

    If one have the link within the 1 min time interval, it can be downloaded without the login credentials. But since the link is dynamic, I think it will not be a serious security bug as I expected at first.
  • Yes, this is by design, and not a security bug.

    The files.zotero.net links are unauthenticated, but the path is randomly generated, and the links expire after 2 minutes.

    The link is generated only from an authenticated session on www.zotero.org after checking permissions.

    Since all access is via HTTPS, someone sniffing the connection would not be able to see the URLs being accessed.

    So unless you share a files.zotero.net URL with someone, and unless they access it within two minutes, there's no way for people to access your private files.
Sign In or Register to comment.