Hijacking of Invitations

Hijacking of Invitations

Postby CySlider » 11 Feb 2010, 14:44

I wounder, if it would technically be possible for Teamdrive Team to hijack and Invitation sent by a user for a Shared Space to get to the data of that space, even if its on some private WebDav folder.

PS: The Use Cases Forum is not writable, is that intended to be so?
CySlider
 
Posts: 16
Joined: 24 Jan 2010, 18:42

Re: Hijacking of Invitations

Postby Florian Grothe » 12 Feb 2010, 11:10

Hi CySlider,
I understand that one might be concerned about the security of ones private data these days. But please rest assured your TeamDrive Spaces are very secure.
For once the data in your shared spaces is always encrypted. So are the invitations. The invitations are encrypted with the 256Bit public key of the receiver. Therefore you theoretically could give the invitation to anyone. But the only one who can make use of it, is the intended receiver that owns the relating private key.

Besides nobody can ever be a member of a sharedSpace, without being seen by all other team members therefore your data couldn't be accessed undetected anyways.

We are certified by the "Independent Center for Privacy Protection Schleswig-Holstein, Germany". You can find some more information about that here:

Best Regards
Florian
Florian Grothe
TeamDrive Team Member
 
Posts: 46
Joined: 12 Jan 2010, 12:34

Re: Hijacking of Invitations

Postby CySlider » 17 Feb 2010, 10:04

Thank you for the reply.
First this is out of curiosity and the responability I carry for my costomers data I work for. So don't take any of this personally.

If I haven't missed something the procedure is like this:

1) I invite an "unregistered" person by giving TeamDrive his e-mail address.
2) That person gets that invitation to his e-mail account and registeres with the same e-mail address
3) he finds the invitation in his account and can accept it
4) he has access to the shared space.


I don't remember any password I had to set that is not know to teamdrive here. Maybe I remember it wrong?

So lets say I misstyped the e-mail address and it got to the wrong person, then that person could register at TeamDrive and get access to my shared space as well, or?
If I'm right, what about TeamDrive Employees simply changing the e-mail address to one of theirs and registering, wouldn't they have access as well? I don't care if I notivce it at some point, I don't want it to happen in the first place.
CySlider
 
Posts: 16
Joined: 24 Jan 2010, 18:42

Re: Hijacking of Invitations

Postby volkeroboda » 18 Feb 2010, 17:54

Hi,
in our TeamDrive 1.x Version we have had a password for the invitation. We will add the password function in one of our next releases.

Thanks and best regards

Volker Oboda
volkeroboda
TeamDrive Team Member
 
Posts: 583
Joined: 10 Jul 2008, 19:53

Re: Hijacking of Invitations

Postby Timmi » 17 Mar 2011, 16:53

Sorry for resurrecting this old thread, but the procedure is not yet clear to me.

Florian Grothe wrote:The invitations are encrypted with the 256Bit public key of the receiver. Therefore you theoretically could give the invitation to anyone. But the only one who can make use of it, is the intended receiver that owns the relating private key.


How does this work in the case of the "Invite all my devices" functionality? I just tried it, and could access the invitation after logging into Teamdrive on a new installation (as expected). At the time the invitation was sent, there was no public key for that device in existence.

So, how is it technically prevented that these invitations are hijacked by someone with access to the TD server?
Timmi
 
Posts: 1
Joined: 17 Mar 2011, 16:44

Re: Hijacking of Invitations

Postby volkeroboda » 30 Mar 2011, 20:23

Hi
No other user can use your invitation. The user must have access to your e-mail account and he must know your password. You can switch off the invitation of your own devices with every invitation. In the new Teamdrive Version 2.4.x you can add a password for every invitation to a space.

Best regards

Volker
volkeroboda
TeamDrive Team Member
 
Posts: 583
Joined: 10 Jul 2008, 19:53

Re: Hijacking of Invitations

Postby uluckas » 15 Oct 2011, 20:20

Could someone please elaborate on the 'Invite all my devices' process?
Even in the most recent version, i can 'invite all my devices', then create a new temadrive installation on a new PC and have access to my files.
As the installation has been created after the invitation was sent, no public key for the new installation existed at that time.

1) How does the space key make it to the new device? Is there any differencer someone at teamdrive if I use my own webdav or teamdrive server?
2) How is the space key protected against attacks by teamdrive employees which could know my login password?
uluckas
 
Posts: 2
Joined: 15 Oct 2011, 20:10

Re: Hijacking of Invitations

Postby bradychris1 » 08 Nov 2011, 10:14

Is there someone else who can elaborate in details about installation ?
bradychris1
 
Posts: 1
Joined: 07 Nov 2011, 10:37
Location: San Diego

Re: Hijacking of Invitations

Postby EPruehs » 14 Dec 2011, 11:51

You find an answer how we made this special invitation secure, here:

http://forum.teamdrive.net/viewtopic.php?f=3&t=1565

Regards E. pruehs
EPruehs
TeamDrive Team Member
 
Posts: 169
Joined: 17 Jul 2008, 18:05


Return to General Info, Support and Knowledge Base - Allegemeine Informationen, Support und Wissensdatenbank

Who is online

Users browsing this forum: No registered users and 7 guests

cron