Are Your Files Public? The Edlio Example

one

By Tony DePrato | Follow Me on LinkedIn

I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.

I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.

However, I can say it is generally bad practice for:

  1. Personal information to be public and openly searchable
  2. Budget information to be public and openly searchable (aside from summaries and annual reports)
  3. Versions of documents, that are not the final version, to be public and openly searchable
  4. Calendars and other data about large group events to be enabled without security

Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:

one

two

I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.

three

four

Using a search based on the date, I was able to further sort documents from different schools:

five

six

Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.

The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.

If you want more information on how to do this type of testing and analysis, please email me: tony.deprato@gmail.com

 

 

About Tony DePrato

about.me/tonydeprato
This entry was posted in copright, cyber awareness, Educational Technology, Helpful Tips, Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a reply! The IT Babble Team Need Feedback.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s