Web Application - Security - Link sent to unauthorized users who have access.

  • 1
  • Question
  • Updated 1 year ago
  • (Edited)
I need to understand how I can control access to specific folders in ShareFile when sending a link.  

Please review the steps and suggest a solution.

  1. Log into ShareFile; mycompany@sharefile.com
  2. Folders, Personal Folders, and create a folder “Test” for example.
  3. Upload a couple of files to this folder. 
  4. People on this folder, add a couple of people who have an Employee or Client account.
  5. Grant at least View, Download and maybe Upload (alerts if you wish)
  6. Go back to “Items in this Folder”
  7. Select a file (check box, checked)
  8. Above, click “Share”, should see; “Email with ShareFile” or “Get a Link”
  9. In our example, select “Get a Link”
  10. You should see the link but before you copy, check the "Edit Link Options"
  11. Edit Link Options; Notifications (checked or unchecked), Security (Checked or Unchecked), Allow recipients to “have full control”, Download access expires “After a week”, Downloads “Unlimited”, and checked to “Always link to the latest version of the file”.
  12. Click Done (for Edit Link Options), returned to “Get a Link” page
  13. Click the green box “Copy Link”
  14. Open your email, any email (not using the ShareFile Outlook Plug-in)
  15. Paste the link into an email.
  16. Send the email to one or more of the users who you have granted access to the folder, in ShareFile “People on this Folder”

What Happens:
  1. One of the authorized recipients of the email receives the email they are able view the contents of the file by clicking on the link in the email.
  2. The recipient forwards the email, with the ShareFIle Link in the email, to a colleague.
  3. This colleague has not been granted any “View, download, Upload” access, in fact no access.
  4. The colleague is able to click on the link and view the contents. 

Why is the colleague able to click on the link that was forwarded and see the contents of the link sent?
The colleague is not one of the “People on this Folder” who was granted access by the owner. 

You might state that I forgot in step 11 above that I did not check the box in Security to require login.  Does not matter. But will prefer to log into ShareFile for validation.  They log in with their ShareFile account and can still see the contents of the file. You would think they should be denied access.

If you use Outlook and the Outlook plug in, Attach Files, From ShareFile, (Custom Setting Options require “Sign In”) Select a file from your Personal Folders and send the email to people who have been granted access to the selected file.  If the recipient of the email forwards to another person and THAT person clicks on the link, they will be prompted to login in but will NOT be able to see the contents of the file and are returned to the login screen. 

Our users want the ability to send a link and share with those who they have granted access through “People on this Folder”.  Inhibit a link from working in a forwarded email to users who have not been granted access.
Photo of John Taylor

John Taylor

  • 9 Posts
  • 2 Reply Likes

Posted 1 year ago

  • 1
Photo of Leo

Leo, Official Rep

  • 404 Posts
  • 37 Reply Likes
Hi John,

Folder access and Share links are two completely different things.

If you are granting access to files by adding people to folders then those people need to log in to the website.

If you are granting access to files by sending them a Share link then you send them a Share link.  If you want to restrict a Share link then you have use Email with ShareFile and restrict it to login required.  That way if someone logs in with an unauthorized account, they can't access the files used in the Share link.

There is zero connection between both processes.

All folder access will care about is that the person logging in to the website matches one of the people who is granted access to the folder involved.

All Share links care about is that the file exists somewhere in the account (and that the link itself is not already expired).

Any sort of access restriction has a login component.  Otherwise how will it know whether the person accessing is authorized?

-Leo
Photo of John Taylor

John Taylor

  • 9 Posts
  • 2 Reply Likes
Leo,

OK, Thanks.  Using the "Share Link"  through the web UI and requiring someone to log in does not inhibit anyone else from logging in and accessing the file.  Got it.  I think that if you require someone to log into ShareFile to access the file that the Share Link would only allow access to those who are authorized via "People on this Folder".    I think if you survey people they will have the assumption that the link is secure, which it is not.  Should be changed. 

Maybe it would be a good idea to have a warning when someone selects the "Get a Link" through the web UI and warn the person by using this link unauthorized persons may have access if the link is forwarded to unauthorized people. 

I understand the Outlook client and the link in the Outlook client should work exactly in the same manner.  Which, if the email is forwarded by a recipient to a person who has not been granted rights in "People on this Folder" then the link will not allow the unauthorized person to access.
Photo of Leo

Leo, Official Rep

  • 404 Posts
  • 37 Reply Likes
Hi John,

I'm unsure how you are coming to this conclusion, or maybe I am misunderstanding what you're trying to say, so I'll rephrase slightly.  If login is required on the Share link, it will prevent other accounts from accessing the files sent by the link.

There are three possible states for a Share link:
- Anonymous
- Require Name and Email
- Require Login

If you leave the link Anonymous or requiring a name/email, it will not restrict the link and allow you to pass it on as you want.

If you require login, then the only accounts that can access the link are the people you send it to and yourself (considering you sent it).  Any other accounts logging in on the link will not be able to access the contents of the link.

In order to require login, the Share link needs to have an email to restrict the link to, so if you are trying to create this with the Get a link option, it won't work because that process does not include an email address.  The plugin for Outlook does not have this problem because the email address(es) to restrict is in its email.

Let's say there's three accounts.  Me@somewhere.com, You@somewhereelse.com, and 3rdparty@FOAF.com

I log in with Me and send a Share link to You that Requires login.  

Because it is only going to You, if 3rdparty tries to log in on the link, will not be able to access the files and will either loop at the login screen or be presented with a message indicating a lack of authority to access the file(s)..

If you are testing this, please make sure you are testing with a fresh incognito/private session or multiple browsers.  Otherwise you will get a false positive when accessing the link because you're already logged in with your own account.

-Leo
(Edited)
Photo of John Taylor

John Taylor

  • 9 Posts
  • 2 Reply Likes

Hi Leo,

 

Maybe I am missing it somewhere.  Please look over

 

The options you present:

There are three possible states for a Share link:

- Anonymous

- Require Name and Email

- Require Login

 

I understand the above options if using the Outlook Plug in.

The options above are available if you use the Outlook plug in.  Our locked default is "require login" when using the Outlook client.  This method works perfectly, as expected.  When I use the Outlook, use ShareFIle to send a link in the email.  Those users who are authorized will be able to access.  If one of the recipient’s forwards the email, the ShareFile link is useless. Again, this works perfectly.

However.. to note, from your comment, "Get a link option, it won't work because that process does not include an email address."

I think the ability to include "Require Login" should be included with the "Get a Link" Option when using the Web UI and restrict access to those users who Log into Sharefile using either an employee or client credentials.

I still stand that users who use the "Get a Link" option in the Web UI are under the impression that access is restricted when in fact anyone can gain access if the link is  forwarded to unauthorized people. 

Thanks,

John

 
PS.  I see that many have complained and the problem still exists.  I would like to see if this can be resolved.  https://community.sharefilesupport.com/citrixsharefile/topics/big-security-issue-for-shared-links

I am not the only one and it has been going for a long time. 


(Edited)
Photo of Leo

Leo, Official Rep

  • 404 Posts
  • 37 Reply Likes
Hi John,

Correct, the Plugin can create all three types of Share links.

If the goal is to use the login link with a non-ShareFile email system, then currently the only options for doing so are by creating the link via the Outlook Plugin, the Outlook addin, or the Gmail extension.  

However, given what you seem to be stating as what you want, you can just give your recipients a direct link to the folder either by copy/pasting the address from the address bar or grabbing it from the View Details popup.  Anyone not authorized to view the folder will get redirected elsewhere.  Anyone authorized for the folder will see the folder details that they are allowed to see.  You can find the detalis about it here:

https://support.citrix.com/article/CTX208313


-Leo