[Invalid] A Very Serious Security and Privacy Bug of Zotero?
Just by accident, I find that anyone can download a private personal file without the login credentials. For example, please try the following link, it is a sample file I uploaded into Zotero server under my account:
https://files.zotero.net/11350724611/pdf.pdf
I have double checked my privacy setting, and I am sure I have not check the "Publish entire library".
So in this case, by brute force attack and try different ID and file name, all the files on the Zotero server is open to the public......
I hope this is not true ...
https://files.zotero.net/11350724611/pdf.pdf
I have double checked my privacy setting, and I am sure I have not check the "Publish entire library".
So in this case, by brute force attack and try different ID and file name, all the files on the Zotero server is open to the public......
I hope this is not true ...
(Please don't post the same message multiple times in different places. It is very confusing.)
But if you repeat this procedure, you will found you can download the file without login:
1. open a attached file from your online libary in your browser and copy the link;
2. log off your account (or you can even change a browser, for example, IE which I rarely use).
3. Paste the link and the file will be downloaded.
But after sometime, the same link will return 404. I don't know the mechanism, but I every time I do the above steps, I can download file without login.
http://oi63.tinypic.com/2e0s8ye.jpg
the above screen shoot shows I am logged out and paste in the link. After press enter, file is downloaded:
http://oi63.tinypic.com/2eznvcj.jpg
I will keep on finding the reason of this case.
For example, for the same file stored in the online library, when I first open it in browser, the link will be:
https://files.zotero.net/7435981033/pdf.pdf
Then I go back to library and browse some other file. When I later come back to the same file, the link will change to (after ~ 1 min):
https://files.zotero.net/10820015236/pdf.pdf
And after I goto some other file and come back later again and again, the same file will have different address such as:
https://files.zotero.net/8706892233/pdf.pdf
and
https://files.zotero.net/12344122204/pdf.pdf
If one have the link within the 1 min time interval, it can be downloaded without the login credentials. But since the link is dynamic, I think it will not be a serious security bug as I expected at first.
The files.zotero.net links are unauthenticated, but the path is randomly generated, and the links expire after 2 minutes.
The link is generated only from an authenticated session on www.zotero.org after checking permissions.
Since all access is via HTTPS, someone sniffing the connection would not be able to see the URLs being accessed.
So unless you share a files.zotero.net URL with someone, and unless they access it within two minutes, there's no way for people to access your private files.