Microsoft introduced the cloud based storage system called SkyDrive several months ago. SkyDrive is a great platform to store, manage and share documents online. Microsoft has done a good job in integrating SkyDrive with Hotmail and various office products.
If you are sending an email with attachments through Hotmail, you have the option to upload the file to SkyDrive and share the link to the email recipient. There are few security issues involved in sharing documents through SkyDrive instead of sending as a plain attachments.
In this article, I want to talk about a specific issue related to security in the Hotmail - SkyDrive integration.
When you send a mail from hotmail and add some attachments, you have the option to share it through SkyDrive. This feature is integrated well with Hotmail and it can be done without much extra efforts. However, you must be aware that all such files shared through SkyDrive integration in Hotmail are shared publicly and those get access to the URL of such files can access the files. This is very similar to the Google Docs feature with the security settings as 'Anyone with URL can access the file'.
When you email a document to someone, do you expect it will be accessible to the others? That is what happens when you use the SkyDrive feature in Hotmail to send documents to email recipients. Well, not exactly.
Anyone with a link to the file can read and download the file. If you are sending a sensitive document to a business user, imagine how much damage it can cause to your business if it reaches your competitor. I don't have to talk much about the issues involved in sharing sensitive documents to the world.
Security issues in Hotmail SkyDrive integration
Let us see how this works.
- Person A want to send a sensitive document to Person B.
- Now person A log in to his Hotmail account, types a brief email to person B and adds the file to be sent. The file is automatically added to the SkyDrive and the link is shared through the email to person B.
- Now, person B reads the email in a public computer, access the file from SkyDrive, Signs out from his mail and goes away.
- Now person C comes to the same computer. He simply checks the URLs accessed by the previous user in the browser and finds the links to the file in SkyDrive. He visit the file in SkyDrive, downloads it and sends to some business competitors.
- Now person C follows few others links in the SkyDrive site and gets access to thousands of other files in SkyDrive which person A sent through Hotmail to various other people. (I am striking it out because I can no longer see all other attachments after I deleted all old attachments and started testing with new attachments. However, the security flaw still exists - anyone who get the link can see your file. The links can be easily found from the browsing history or other sources.)
This is a security flaw in the SkyDrive - Hotmail integration. Many users who share files through SkyDrive Hotmail integration do not know they are sharing the files publicly, even though it require getting access to the link. May be Microsoft can claim they use the word "share", but no where they make it clear that "it is shared publicly".
In fact, the options page in Hotmail make it highly misleading to the users. See the screenshot below:
Steps to reach the above options page:
- Login to Hotmail
- Click on the "Options" in the top right corner in hotmail inbox view.
- Click on More options
- Click on "Attachments" under "Writing Email"
You will see the below options:
Big attachments can clog your friends' inboxes. But when you use SkyDrive, you send links to files instead of the files themselves. This makes it easy to share hundreds of files at a time with the people you choose.
Always send files using SkyDrive
Always send files as attachments
Let Hotmail choose (use SkyDrive for large attachments and Office docs)
Take a close look at this part: share hundreds of files at a time with the people you choose
Where do you have the option to choose the people? No where. The only option you have is to send the email to one or more recipients, but any one who gets the link is free to share the link with anyone else or leave some traces of it unknowingly leading to access to your documents. Or, someone who see your browsing history can access all such files from the senders SkyDrive.
SkyDrive would be a great enhancement to Hotmail, if few changes are made
I recommend Microsoft make the following changes to make SkyDrive a great feature to the Hotmail users:
1. During the attachment step, make it clear to the users that the files can be accessed by anyone who get a link.
2. Allow the recipient to transfer the file from the SkyDrive of sender to the SkyDrive of recipient
3. Show some status in the SkyDrive of the sender that the file is transferred or accessed so that it can be safely removed from the senders SkyDrive.
|Guest Author: Pradyuman Vig 12 Feb 2012|
|You can change the setting of the file to be "view only". This isn't something new - know your facts before posting it.|
I do it all the time - go into SkyDrive, and set it as "view only".
Granted, there is no password protection or anything, but the third-party won't be able to download the file, only view it.
Microsoft's implementation works, and works well. I don't see major security flaw with this. Microsoft specifies you are sending a link - you can't expect the link to not be distributed in one way or the other.
|Guest Author: wixostrix 12 Feb 2012|
|While the text Microsoft uses is misleading for sending attachments, it does hold true for SkyDrive file sharing. If you upload documents to SkyDrive first, then share them from there you can in fact share the link securely (requiring sign-in). This is no different than how Google Docs handles document sharing. If you don’t require sign-in then anyone with the link could access the document.|
This “flaw” can be easily remedied by Microsoft having a check box(es) below the SkyDrive attachments to require sign-in or not for access to the files.
|Guest Author: Beatnyama 13 Feb 2012|
|When you send an email to someone with an attachment you have no guarantee where that attachment will end. The only security you have in that case is you hope the receivers with the attachment do no forward it (to your competitors for example)|
Skydrive also does the same thing, the only difference is that the file is not actually sent. So if the URL is accessed and the file used for the purposes it was not sent, its not Skydrive's problem.
|Author: Tony John 13 Feb 2012||Member Level: Diamond Points : 4|
This article is written in the context of the new AttachmentsSuck campaign from Microsoft. When Microsoft claims Attachments Suck and SkyDrive is the way to go, I actually wanted to show it is the other way.
>> I do it all the time - go into SkyDrive, and set it as "view only".
Doesn't it suck to go to SkyDrive after sending each email and set the security of the file to "View Only"?
>> but the third-party won't be able to download the file, only view it.
What is the big difference between downloading and viewing? For me, it is pretty much the same. It is the data inside the file which is important and not whether can download the bytes or not.
>> If you upload documents to SkyDrive first, then share them from there you can in fact share the link securely (requiring sign-in)
You are absolutely right. But I am talking about the SkyDrive-Hotmail integration where you use Hotmail and use the SkyDrive option built into it. There is no option to set the security there.
The checkbox option you proposed is a great idea.
>> Skydrive also does the same thing, the only difference is that the file is not actually sent
You are wrong. Leave aside the misuse by recipients. There is nothing anyone can do about it. What we are talking about is the security flaw. In case regular attachments, the files are safe within the email and only bad guys who can break the security of Hotmail can get in to it. But in case of files shared through Hotmail-SkyDrive integration, anyone who can see the browsing history can get to those files. Public computers, browsing centers etc are typical examples were sensitive documents could be accessed by others who look at browsing history of others.
I have worked in large IT companies where only 1 or 2 computers are designated for accessing internet. So if we have to check an attachment shared through SkyDrive, all of them will go to the same computer in the office. I often look at the browsing history to find a web page I just closed accidentally! Now, when I look at the browsing history in such computers, you could see the links to the confidential reports sent by the rest of the people in your company! I can come up with several such examples to prove this security flaw.
While SkyDrive is a great platform and I use it to share files, this article is specifically about the security flaw in SkyDrive-Hotmail integration.
|Guest Author: wixostrix 14 Feb 2012|
>>This article is written in the context of the new AttachmentsSuck campaign from Microsoft. When Microsoft claims Attachments Suck and SkyDrive is the way to go, I actually wanted to show it is the other way.
Why are you so against it though? It's a nice alternative to sending files back and forth. The traditional attachment method will still exist, but in some cases hosting the files yourself so you can keep track of edits and whatnot. If you are sending a file to someone that you aren't going to utilize then the traditional attachment method makes more sense.
|Author: Tony John 14 Feb 2012||Member Level: Diamond Points : 3|
I am not against SkyDrive. It is a free and great service for sharing documents. I will definitely utilize my free 25Gb quota to share files with others, but not through Hotmail.
What I am pointing out here is the security flaw in using it as an alternative to email attachments. Microsoft claims Attachments Suck and SkyDrive is the way to go. My point here is, SkyDrive is NOT AN ALTERNATIVE to attachments in the way it is implemented currently. SkyDrive alternative is not as secure as Attachments when it is used from within Hotmail.
I would use SkyDrive as a system to share files with others but will not use it from Hotmail due to the security flaw I talked in this article.
|Guest Author: Rameez 21 Mar 2012|
|Privacy and security are of major concerns while sending a file or while online sharing and collaboration and with these issues I don't think I would prefer my team using it. Of late I've been looking for alternatives of some independent tools which doesn't really have problems like this o even like wise with Google docs with having a Gmail id mandatory for sending files online. Hence I've come across few tools such as CollateBox http://www.collatebox.com/ and smartsheets. Waiting for this one.|
|Guest Author: Mike 23 Jun 2012|
|Has microsoft done anything yet to address the security concern you outline above|
|Author: Tony John 15 Jan 2013||Member Level: Diamond Points : 0|
Microsoft has not done anything other than claiming this is not a security concern.