How did I manage to see lots of public files from Apple users and how to prevent that.

Wallace Soares
4 min readJan 19, 2021

--

TL;DR: iCloud Drive files *were* being exposed to Google’s search engine and this is not fine.

It’s well known that Google owns a powerful search tool. Their crawlers can reach the entire internet by interconnecting sites and servers. Sometimes they also reach private pages and what I mean by private is pages that are *supposed to be private.* Pages containing pieces of information like confidential documents, legal documents, paychecks, and social information are supposed to be private. However, sometimes Google reaches them. Reaches them by directly accessing, or by a redirection from other sites and indexes them. Despite its unlikelihood from showing up on the first page of your search, Google still can see this information. Is on their servers. Thus someone can reach and read.

During June I was studying some hacking techniques and I came across this article in medium by Ricardo Iramar dos Santos that found out a bunch of files from Microsoft’s One Drive was being indexed by Google. You just needed the right combination of Google’s famous search queries: the Google Dorks.

Google Dorks are a set of queries that can be used in Google’s search bar to focus on, for example, some set of file extensions, URLs paths, and keywords during your search. So in this article, Ricardo founded the One Drive’s files by using this Google Dork in the search engine:

site:onedrive.live.com inurl:cid

He could see 41600 files from Microsoft Users. Today I saw 57900. This included family photos, legal documents, names, addresses, etc. Sending an email to Microsoft Security Team to warn them about this problem they responded basically:

“It’s not a relevant problem. We are aware and we agree to continue like this.”

Yeap. Also shocked. Giving the problems we face today, such as data leak, it takes courage, to say the least, that 41600 files from Microsoft users being cached by Google are not a relevant problem. However, allow me to elaborate a bit more about this. These files are not being cached without Microsoft knowing. They know. You should also know. Every time you share a file with a PUBLIC LINK and the company does not have the right rules to prevent, Google caches them. I believe the problem here is about the company not warning you that once you create a public link to share with your friends, colleagues, and family to access your folders/files, this link will also reach the most used search tool on the internet. And will be available to the ones that know how to search for them. I encourage you to search for this text in your Google: site:onedrive.live.com inurl:cid. You will probably see 6 results only, but there is a linkable text down below that says: repeat the search with the omitted results included. And them you will see the magic.

This leads to me and the iCloud issue.

Apple always stresses how privacy is important. They always make a clear statement that the user’s privacy is one of their main concerns. So I tried to do the same with them. The whole story is pretty much the same. I tried to use Google Dork - site:icloud.com/iclouddrive - to see if I could see some cached files. I was able to see, at the time, about 4200 files. It’s not the absurd 41k files from Microsoft, but still. So I mail them with a warning and they made their statement clear: it’s a privacy issue. By the time you see this write-up, it should be fixed or you will seeless results. This only shows how these two companies deal with user's privacy. Despite the file is being shared with public link, doesn’t mean that it is public to everyone. The power should remain with the owner. Kudos to Apple to take this problem seriously.

One of the files founded during my iCloud POC was a legal document from California Court

To end this article, if you finished, here is a tip to you: Choose wisely which file you want to share with a link. If it’s not Google, there is a whole world of search engines and tools that can see your link. Once on the internet, you can never take it back.

--

--