Jan 29
Written by:
Antonio Chagoury
Monday, January 29, 2007
Do you own a CentralDesktop Workspace account?
If you do, then you should seriously reconsider your options!
If you do not, then read on and judge for yourself whether or not you should become their customer.
I was in the midst of evaluating CentralDesktop's document library when I stumbled upon the fact that any document I upload on that library is accessible by anyone. And by "anyone", I mean just that. You do not have to be authenticated to see this file, do ya? No kidding, the file you just saw is on my Company's Document Library on CentralDesktop (here is the actual url: http://www.centraldesktop.com/home/viewfile?guid=C0152ACE3BC744037F563F71D50E72F0&id=115259)
This is serious and potentially damaging stuff going on here, I mean, what if I had customer credit card numbers in that document? What if I had my employees Social Security numbers... geez... this is absolutely nuts! There are a lot of businesses out there actually using this application without any knowlegde of this issue. Or is this a feature?
Hmmm, let's examine this. I signed up for an account and went on to create a Project Workspace. The screen shot below indicates clearly (it is even highlighted for heaven sakes) that this workspace is protected and accessible by invitation only.
However, the opposite is true. I proceed to upload a document (sure, grab all the credit card numbers while you are it) only to find out that it is not password protected not accessible by invitation only.
One thing is for sure, bug or feature, this is clearly not the tool I rely on for my business. You, on the other hand can draw your own conclusions.
Tags:
6 comments so far...
Re: CentralDesktop: Security Bug or Feature?
Wow... that is amazing! -- Great catch!
By Anonymous on
Tuesday, January 30, 2007
|
Re: CentralDesktop: Security Bug or Feature?
Okay, lets get our facts straight here......
This is not a bug. This is a FEATURE.
Its called "Public File Access" and it can be turned off or on depending on the Workspace Owner's preference.
Its the ability to "Send a Link" to a file to someone else instead of emailing the entire document. You can turn off "Public File Access" under the Settings section of each Workspace.
If you notice the context of the URL it is an encrypted ID and the recipient of the link is ONLY able to access the individual file/document - nothing else.
If anyone has concerns about this or any other feature in Central Desktop feel free to contact us:
support[at]centraldesktop-inc.com
or
you can email or contact me directly at:
isaac[at]centraldesktop-inc.com
BTW, we have several banks using Central Desktop, including many of the top banks and financial institutions in the world. I'm not at will to publish their names in a public forum but am willing to talk to anyone and tell you who they are.
Isaac Garcia
CEO
Central Desktop
http://www.centraldesktop.com
isaac[at]centraldesktop-inc.com
(626) 593-7007
By Isaac Garcia on
Friday, March 02, 2007
|
Re: CentralDesktop: Security Bug or Feature?
I just want to get our disclosures clear and out in the open here for everyone's knowledge:
Antonio Chagoury is the CTO of SMBLive, a competitor to Central Desktop.
You can read his profile here:
http://www.cto20.com/Default.aspx?tabid=668
I wonder if there were 'other' motives in over-reacting to a feature in Central Desktop and posting it as a 'bug' on a public forum?
You decide.
By Isaac Garcia on
Friday, March 02, 2007
|
Re: CentralDesktop: Security Bug or Feature?
I have over 60 active workspaces and have used the "turn off public file access with no issues. I think this is simply a user familiarity issue.
By Doug on
Friday, March 02, 2007
|
Re: CentralDesktop: Security Bug or Feature?
Isaac,
Thank you for your comments.
True, I am the CTO of SMBLive, but we are not your competitor. We have a slightly different business model.
Anyway, maybe a topic for another blog.
Back to the security issue, my questions to you are:
1. Why is the "Public File Access" not turned off by default? If you look at the first screen shot in my post, I clearly select the "PRIVATE workspace". So, why are my files defaulted to PUBLIC?
You can challenge my "motivations" behind this post, but I seriously doubt that you can challenge that.
2. Why is the "Public File Access" feature not more intuitive? This is security we are talking about here... so before giving public access to my "stuff" you could at least inform me that this stuff will be publicly available! After all, I DID SELECT "PRIVATE WORKSPACE".
Isaac, what am I getting wrong here?
Now, I can see your "motivation" for arguing this, but don't do so by telling me about your URL parameters!
I look forward to this conversation ;)
By Antonio Chagoury on
Friday, March 02, 2007
|
Re: CentralDesktop: Security Bug or Feature?
The information and the files are not publicly available - unless you send the encrypted URL to someone.
The feature can be enabled or disabled under Workspace Settings.
Isaac
By Isaac Garcia on
Friday, March 02, 2007
|
|
|
|
|