Exchanging Files Safely with File Sharing Services

Safe DepositBack in December 2010. During the OWASP Benelux Day, Nick Nikiforakis presented an ongoing study about the privacy of file sharing services. Big players are services like rapidshare.com or megaupload.com. The principle is very simple: you upload your files to a virtual storage space in the cloud and you get back a unique URL ready to be shared with your friends/co-workers/users. Simple and efficient.

Simple but not so safe! According to Nick, URLs returned by some file sharing services are predictable. This means that if you discover how URLs are generated, you could download any file! Apart this (major) issue, your files are uploaded into the cloud with all the potential issues related to it.

Except if the file sharing services change they algorithm to generate the URLs, there will always be a risk to see your files accessed by a malicious guy. The only way to protect you is to encrypt your files before sending them in the cloud. Encrypting and uploading your files will quickly become a painful job. Why not try to automate this process via a command line tool?

Good news, RapidShare provides a free Perl script to upload files. To perform the encryption, the best tool remains PGP (IMHO) or, it’s free alternative, GnuPG. To interconnect Perl and GnuPG, a CPAN module is available. It uses the shared memory coprocess interface that GnuPG provides for its wrappers. All ingredients are present to write a Perl script which encrypts files (using the public key stored in your keyring) and uploads them to RapidShare. The script syntax is the following:

  $ ./rsgpg.pl -h
  Usage: ./rsgpg.pl [options] -f file [-r recipient] [-P passphrase] [-l login]
                    [-p password] [-h] [-v]
   -f file        Local file to encrypt and send to rapidshare.com
   -r recipient   Recipient's e-mail (from your GnuPG ring key)
   -P passphrase  Your private key pass phrase
   -l login       RapidShare login
   -p password    RapidShare password
   -v             Verbose output
   -h             Display this help, then exit

For security reasons, an interactive mode is available. This is useful to avoid passwords stored in shell history or log files. Required arguments not present in the command line will be asked via prompts:

  $ ./rsgpg.pl -f file.txt -v
  Using interactive mode...
  RapidShare login: login
  RapidShare password: ********
  Recipient: user@domain.org
  Passphrase: **************
  Encrypting file file.txt ...
  Uploading file /tmp/file.txt.gpg ...
  File /tmp/file.txt.gpg has 681 bytes. MD5=7013b0e031ceeb5e9eb0c9537d503e16
  Uploading to rs871.rapidshare.com
  Sending 681 byte... FINAL MD5 check passed. Upload OK!
  File URL: http://rapidshare.com/files/428334702/file.txt.gpg
  All done.

The files are uploaded using HTTPS but the generated URLs will remain based on HTTP (You need a RapidPro account to download over SSL). This is less important in our case as the files are already encrypted and only the recipient will be able to decrypt them using his private key.

The script is available here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.