Users of popular file sharing sites could be handing over their details to “researchers” hired by Big Content to find out the names and addresses of file sharers.
Insecurity experts have found weaknesses P2P sites that allow hackers to gain unauthorized access to data.
Names and shamed in the report are RapidShare, FileFactory, and Easyshare whose service can be used by music and film sharers to move their files around networks of sharers.
But according to Nick Nikiforakis, Steven Van Acker, Wouter Joosen, of the Katholieke Universiteit of Leuven in Belgium, and Marco Balduzzi and Davide Balzarotti of the Institute Eurecom in France a “significant percentage” of the 100 file hosting services are a doddle to hack.
All you have to do is guess the URLs that are bound to each uploaded file and it seems that such attacks are happening.
The sites use a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URLs.
While the sites claim these URLs are secret and cannot be guessed, the study proves that this was not the case.
By training web crawlers on the file services it was possible to uncover hundreds of thousands of private files in a month.
The researchers set up 80 honey files and found that they had been accessed 275 times, indicating that the weakness is already being exploited in the wild to harvest data.
The most effective way of stopping the attacks is the use of encryption on the user’s computer and they have worked out a proof-of-concept Firefox add-on that automatically encrypts and decrypts files upon upload and download and then hides the encrypted files.