Tuesday, 2 August 2011

Boxify.me: A brief lesson in what privacy isn't

Boxify.me is getting a bit of press lately as a new site that allows sharing multiple files with others in 'boxes'. No sign up required; you just click on the 'start sharing' button, upload files, and share the URL around with others.

Here's their current front page.

Before I go further, I should mention this kind of sharing is inherently insecure - they make no promises about keeping your data safe and there's no password protection. Anything you put up there can be accessed by whoever has the private URL, and that's how it's designed. The only thing they specify on that page there is that your box has a 'private URL'.

That should be easy, right? All they have to do is set up robots.txt so that nobody can spider their site, after all.

Unfortunately, I'm wrong.

And as a result of that:


Now, I know what you're thinking -"That's not too big a deal, google can't find anything that's not already linked to". That's where the second mistake comes in, which is only obvious because of the first.

When you click on the link to uploads.boxify.me, you get this lovely page.
Yup. That a public xml file with hard links for the thousand most recently uploaded files. I'm not sure why the file exists, but the fact it's publicly accessible is just terrible. In 15 minutes you could knock up a shell script that regularly checks for and downloads every single file uploaded to the site.

So the outcome here: Boxify.me may turn out fine one day, but so far Loren Burton's  claims of a private URL aren't holding up.. If you don't want your files immediately available to the general internet, don't use boxify.


Interesting Sidenode: The example box they link to on the front page can also be edited by the masses. Consequently, it has naughty material for the discerning visitor.

1 comment: