![]() So basically the biggest improvement that people outside Infinity can no longer open files to Infinity just because they have a link. I have sent you two links via FB messenger so you can verify it yourself - I don’t want to post them here. Hi Microsoft Community Members, There are many attachments sent through my email in the past several years. I can access pdfs and pngs in my private Infinity board without any protection or without the need to login from a private browser window and also from another browser. When clicking on a link to an image, you can no longer see it - you should get an error if you follow a certain link to an image stored in Infinity. So anyone can run a script and let it guess filenames and download all thumbnails and previews. Hi sure how we could limit the thumbnails and previews since those are intended to be visible by your whole team - and for the people you share the board with.Ĭurrently the thumbnails are visible to the whole world! There is no protection because the AWS S3 bucket used by Infinity is completely visible to anyone. I hope fixing this issue is the highest priority at the moment. I really need a statement from the Infinity regarding this issue. I think the Infinity team must inform every user that there was a chance someone already has accessed all files. This change should be possible in less then a week. Every file link has to point to this proxy file instead directly to AWS S3 -> Ģ.) All S3 storage on AWS must be set to private - no external access allowedģ.) Only the proxy code should know the credentials to access the S3 storageĤ.) When some requests a file from the proxy it has to check if the user is logged in and has the needed right to access these files (no possibility to access other users files) and then it could deliver/stream the requested file back to the user. How to fix this? (I hope I can give some advice - I just want to help)ġ.) The infinity team has to code some kind of proxy file for their server. And the Infinity team wouldn’t have any chance to detect or stop this (because these requests and the traffic are completely handled by Amazon beside any checks from the infinity servers). ![]() It was working a week ago and no changes to server have made since then. ![]() It would be ideal if you could download all files per item at the same time. If I refresh the dialogue, the Download All button appears for a second and then disappears. Hello, it is great if you can use a formula to upload e.g. Only the Save to Storage button is visible. AWS doesn’t charge for traffic which occurs in the same datacenter so this attack is very cheap. Hi there, When clicking on Attachments in webmail, the Attachments dialogue is missing Download All button. Because the attacker would be located in the same datacenter this attack would run at an incredible speed. So what could happen here is: an attacker could spawn a few hundred AWS Lambda instances in the same AWS datacenter and brute force every combination for files to get all files from every Infinity user. The link shows a few important facts for an attacker:Ģ.) (as it looks to me) a unique user or workspace number (micck called this the digit-code)ģ.) Also the letter code seems to have a fixed length or at least a length range
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |