iCloud allows access to files via direct link without authentication!

I've been testing sharing files from iCloud when I accidentally stumbled onto this bug.

Steps to Repro:

  • In Firefox preferences, set "Portable Document Format" download action to always ask.

enter image description here

  • Log into iCloud.com and tap on a PDF file's name (Blue URL) to download it but, instead of saving it, Select Open with other.. and choose Firefox.app in the app list.

  • The file will display right in the browser as expected. Now, copy the link in the address bar: https://cvws.icloud-content.com/B/[loooong_string] and take that link to a different browser altogether with no iCloud login.

The file is still openly accessible. To anyone with that link!

Yes, granted it's not the type of a link to be easily guessed but the file was NOT intentionally shared or made available via a link and NO authentication was needed to access it.

Is this behavior by design? Gaining access to this link appears to be posing a huge security risk, isn't it?


I filed a bug report.

Them:

Can you please set up such a file (not shared) and then send us the link so that we can confirm we are able to access it despite your intent not to share?

Thanks,

Me: Here's the link.

Me, later: The link shows "gone" after some time. Here's another.

Them:

This is by design. The link URL will expire.

Thank you for your feedback.