Jonas Lodewegen

File downloads disabled because of security risk

Written by Jonas Lodewegen on

Yesterday afternoon, Copernica disabled file downloads upon the discovery of a security risk by one of our users. The reporting user was able to download random files by manually altering URLs. To prevent abuse, all file downloads were disabled completely on the spot. Please note that this is limited to the files that did not require logging in as registered Copernica user.

What consequences does this have?

Whenever mailings containing links to files other than images (such as PDF files or attachments made available through the web version of message) are sent, the linked files are currently not accessible. This means that attachments can no longer be downloaded via the web version of a message and that links to other files are effectively dead. Users who follow any such links, will be shown a blank page. This is the case for all mailings, historic and current.

Copernica's R&D team are currently working on a fix that will allow us to re-enable file downloads in a secure manner.

The affected files were not listed anywhere and were not linked to in any way, nor were they indexed by any search engine. The files could only be found haphazardly. After careful and thorough investigation, Copernica has found no indications that files were actually downloaded.