I've been testing sharing files from iCloud when I accidentally stumbled onto this bug.
Steps to Repro:
- In Firefox preferences, set "Portable Document Format" download action to always ask.
-
Log into iCloud.com and tap on a PDF file's name (Blue URL) to download it but, instead of saving it, Select Open with other.. and choose Firefox.app in the app list.
-
The file will display right in the browser as expected. Now, copy the link in the address bar:
https://cvws.icloud-content.com/B/[loooong_string]
and
take that link to a different browser altogether with no iCloud login.
The file is still openly accessible. To anyone with that link!
Yes, granted it's not the type of a link to be easily guessed but the file was NOT intentionally shared or made available via a link and NO authentication was needed to access it.
Is this behavior by design? Gaining access to this link appears to be posing a huge security risk, isn't it?
Best Answer
I filed a bug report.
Them:
Me: Here's the link.
Me, later: The link shows "gone" after some time. Here's another.
Them: