‘Security by obscurity’ is not an effective security approach

This is a true story. I just came across a website, which I will not name (yes, I have emailed them to let them know of their issue), that provides a number of tutorials for download for a fee. They also have some free samples that you can download for free that are excerpts from the main materials.

I found the website from a Google search, and one of the search results was a pdf from their site on the topic I was looking for. Once I started browsing the tutorial contents however, I noticed that the file I’d found from my Google search appeared to cover far more pages in one chapter than should have been covered by one of the listed sample downloads, it was a complete chapter.

Thinking this was odd, I noticed that each sample download pdf listed in the tutorial table of contents had a range of pages in the file name, for example chapter1_1-2.pdf, but the file I had come across was chapter2_10-20.pdf

Out of¬†curiosity it didn’t take too much guess work to change my url to point to chapter1_1-9.pdf and I’d downloaded a whole another chapter of material that should have only been accessible as paid materials. Looking at the other file names for the other chapter samples, it was easy to guess all the other filenames for all the other chapters too.

This wasn’t an isolated case. This particular website has a number of tutorials online following the same pattern. Given the example filenames from the free samples, it’s possible to guess all the full download files for all of their tutorials.

What the website owners and/or developers of their site had done was rely on ‘security through obscurity’ – the direct links to the paid materials were not listed on the website, but there was no security to prevent anyone from downloading the paid materials for free, even if they hadn’t paid to access the paid content. They had in effect hidden the paid materials in plain view.

The second mistake was to use an obvious pattern in the file names so that it was easy to guess the file names for the paid content. The table of contents which included links to a small number of sample pages made this easier, because it illustrated that the chapter files were numbered sequentially, and since there was a sample download for the first couple of pages for each chapter, it was easy to deduce that the files names were for all the other pages for the paid content.

If there was another authentication mechanism in place for paying customers to logon on to the site first before they could download content then the sequential nature of the file names wouldn’t be as much of an issue. The fact that there was no other security on the site however, meant that the table of contents with it’s sample links pretty much gave away the names of all the paid content.

‘Security by Obscurity’ is a very ineffective security mechanism. You can assume that ‘no-one will be able to find these files, right?’ but that’s a pretty bad assumption. If you think there’s a chance that no-one will find the files, it also means there’s a chance that someone will find the files. If your business is to make money from selling access to these paid materials, then this is a risk you cannot afford to take.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.