iCloud allows access to files via direct link without authentication!
I've been testing sharing files from iCloud when I accidentally stumbled onto this bug.
Steps to Repro:
- In Firefox preferences, set "Portable Document Format" download action to always ask.
Log into iCloud.com and tap on a PDF file's name (Blue URL) to download it but, instead of saving it, Select Open with other.. and choose Firefox.app in the app list.
The file will display right in the browser as expected. Now, copy the link in the address bar:
https://cvws.icloud-content.com/B/[loooong_string]and take that link to a different browser altogether with no iCloud login.
The file is still openly accessible. To anyone with that link!
Yes, granted it's not the type of a link to be easily guessed but the file was NOT intentionally shared or made available via a link and NO authentication was needed to access it.
Is this behavior by design? Gaining access to this link appears to be posing a huge security risk, isn't it?
I filed a bug report.
Them:
Can you please set up such a file (not shared) and then send us the link so that we can confirm we are able to access it despite your intent not to share?
Thanks,
Me: Here's the link.
Me, later: The link shows "gone" after some time. Here's another.
Them:
This is by design. The link URL will expire.
Thank you for your feedback.