Dropbox disables old shared document links to prevent unauthorized access

                On 5^th May 2014, Dropbox disabled old shared documents link to prevent unauthorized access to files. Before this change anyone can access shared file point to point using link. It may be possible that this link can have by only known users but when it went in unknown hands then it became serious security question.

                “The company said in a blog post Monday. Contacted for this article, the company declined to say how it had resolved the issue. They also implied that this problem affects another online storage box.net. How those links of documents came to be used as search terms will be no rules to anyone who has ever pasted a URL into the search box of their browser instead of the address box. Alongside the search results for that URL, the search engine also returns ads.”

                User can also re-enable these links but please keep in mind that re-enabling these links will reintroduce the vulnerability. Here is some instructions to re-enable these links.

Steps to remove an existing links

                    

                    1. Sign in to drop box website.

            2. Browse or search for the file or folder you'd like to share.

            3. Right-click on the file or folder in the list and select Share link from the pop-up menu.

            4. Fill out information as needed to send the link to your recipients.

Steps to create new links

            1. Sign in to drop box website.

            2. Browse or search for the file or folder you'd like to share.

            3. Right-click on the file or folder in the list and select Share link from the pop-up menu.

            4. Fill out information as needed to send the link to your recipients.

To send out a shared link to more people later, simply right-click on the file or folder again and select Share link from the pop-up menu.

Working with .htaccess

                we can all agree that pretty URLs make things easier for our users and adds a level of professionalism and polish to any web application. We must accept that twitter is widely popular web application and a part for reason for that is most certainly how its formats URL.

                .htaccess file is directory-Level configuration that allows decentralized management of web server configuration. It Simply means hypertext access. The purpose of it is to allow pre-directory access control. For example, to set password to access content of web server or to deny user to access certain files.

.htaccess files are stored inside web tree. Some of the work of .htaccess file is as below.

* Rewriting URLS.

                To replace or remove specific content of URL.

* Blocking

                Block users, domains, IP addresses by using deny / allow.

* Directory listing & Customized Error response

                Controls how server react when specific web page not available Ex. Pages like 404 & 500

Here we will learn some tricks to create user friendly URL.

1) Remove extension of PHP/HTML file and make readable URL that contain queries.

URL

www.website.com/index.php?id=12345

.htaccess

RewriteEngine on

RewriteRule ^/index/([0-9]+)\.html /index.php?index_id=$1                 

Result

www.mywebsite.com/index/12345.html

2) Remove particular content from URL using .htaccess

URL

Mysite.com/folder/test.php

We will use two .htaccess file to remove content `folder` from URL

-> Goto `root/folder/.htaccess`

RewriteEngine on

RewriteCond %{request}^[A-Z]{3,}\s/+folder([^\s]*) [NC]

RewriteRule ^%1 [R=301,L]

-> Goto `root/.htaccess`

RewriteEngine on

RewriteRule !^/?folder folder%{REQUEST_URI} [L,NC]

3) Block particular domain

RewriteEngine on

# Options +FollowSymlinks

RewriteCond %{HTTP_REFERER} domainname\.com [NC]

RewriteRule .* - [F]

4) allow/block particular IP address

-> Block all

     deny all               

-> allow/Block Specific IP address

    order allow,deny

    allow from all

    deny from 120.177.166.165

-> block IP address Range

    deny from 123.123.123

5) Limit the Number of Concurrent Visitors to your Website

    MaxClients <Number of max clients>

6) Deny access to folder during particular time

    RewriteEngine On

    # Then deny all access

    RewriteRule ^.*$ - [F,L]

    # If the hour is 16 (4 PM)

    RewriteCond %{TIME_HOUR} ^16$

    # Multiple hour blocks

    # If the hour is 4 PM or 5 PM or 8 AM

    RewriteCond %{TIME_HOUR} ^16|17|08$

7) Redirect specific URL to another URL

Redirect /path/folder/1/2/3 http://www.musite.com/newpath/1/2/3

Viber's Poor Security Practices Backhole in User's Privacy

Viber

       

Last week, Cyber Experts Reported vulnerability in one of the most popular messaging application of world Viber. They claimed that Viber's poor data security practices threaten privacy of its more than 150 million active users.

Cross Platform Viber application is one of the most popular messaging application. It allows registered users to send images, videos, doodles, GPS Locations etc. along with each other and its most popular feature Voice Calling which is available for Android, BlackBerry, Windows phone.

Viber stress user’s Data in Amazon server in Encrypted form. But, It does not store images and videos in Encrypted form that can be easily accessed without any authentication and provide large security hole.

 The main issue is that the above-mentioned data is unencrypted, leaving it open for interception through either a Rogue AP, or any man-in-the middle attacks. The researcher wrote in the blog post.

Critical data can easily accessed by and firewall or Network testing tool like Netwitness, Wireshark etc. to capture traffic on network as shown in video.

“ It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post.“