Summary
If you think a private Yahoo! Group is actually private, think again. For this article I created a new, private group in which I created a couple of posts. One was made via the web interface and the other was sent via email. Each post has an attachment. To read a post you need both to be logged in to Yahoo! and also to be a member of the group. If, however, you want to download the attachments, you can do so when you are neither a member of the group, nor even logged in to Yahoo!
Read on for full instructions to reproduce the issue, including links to download the attachments from my (not) private messages.
Background
The other day I was writing a screen-scraping tool to download some messages from a Yahoo! Group of which I'm a member. Just in case you don't know, Yahoo! Groups is an online discussion forum. You can read more about it here.
Since this was not a public group, I had to send along some extra information (cookies) to authenticate my requests. Once I'd collected the raw json data from their rudimentary API, I decided to download some of the message attachments. It was at this point that I noticed that downloading the files from the provided URLs didn't require me to be logged in to Yahoo!
Incidentally, due to there being a dearth of such things, I'll upload the scraping tool to GitHub at some point in case it might help someone else. Look out for a post on that in due course.
Steps to reproduce
Just to be certain, I created a brand new Yahoo! Group of my own. To do that I went to https://groups.yahoo.com and clicked on the large purple Start a New Group
button, as highlighted in the image below. Had I already been signed in to Yahoo!, I'd have clicked on the Create Group +
link on the left-hand side of the screen.
Next I chose a name and URL for my group and also elected to make it private, which means that only logged-in group members can view its content (except it doesn't, but we'll come to that in a minute).
Then I completed the group creation as follows. Nothing out of the ordinary there.
I've really locked this group down. If you go to the group homepage at https://groups.yahoo.com/group/tomssl (which will magically redirect you to https://groups.yahoo.com/neo/groups/tomssl/info), you'll be greeted by this image.
Whereas if I go to the same URL, I am greeted by this (note the red highlight which I've added). That bit that says No activity in last 7 days is testament to the fact that I took this screenshot soon after I created the group and before I uploaded any messages.
Here is a screenshot of some more group settings.
That all looks pretty secure.
Creating some posts
Next I created a post using the web interface and attached a text file by clicking on the paperclip icon, like this.
And then I created a similar post by sending an email (with a similar attachment) to [email protected].
Now if you go to https://groups.yahoo.com/neo/groups/tomssl/conversations/messages you can view the messages. Actually you can't, but you could if you were a member of the group. And if you're following along and creating your own group, you'll be able to.
Click on the first message and then click on the attachment thumbnail or on the Save link (which simply appends ?download=1
to the link from the thumbnail). This will download the file. So far so good.
Anyone can download the attachments
Here is the attachment from the first post: https://xa.yimg.com/kq/groups/92273975/1267872768/name/TomSSLTestUploadedViaWebInterface.txt.
And here is the attachment from the second post:
https://xa.yimg.com/kq/groups/92273975/1651924411/name/TomSSLTestUploadedViaEmail.txt
Go ahead and click on them if you like. You'll be able to download them (I promise they're just plain old text files).
I just conducted a quick straw poll to see if this lack of privacy is okay and it was unanimously decided that it isn't.
Conclusion
It's generally agreed that security through obscurity is not okay. It's also fair to think that if you create a private area of the internet, all of it should be private. It seems that, in the case of Yahoo! Groups, files which should be secure are stored in a publicly accessible content delivery network (CDN) and the only thing that is keeping them secure is a reliance on their URLs not being known. That's not really good enough and I think that Yahoo! should add the same access rules to these files as to their containing posts.
What do you think? Let me know in the comments section.