iCloud iCloud Drive Security Concern

[charbelgt]

When viewing a PDF that is stored in iCloud using a web browser signed into your iCloud account, you can copy the URL of the PDF and paste it into another browser that is not signed in and still view the document. This seems like a massive security flaw - is there something I'm missing here, or is there somewhere that I can report this to Apple?

To confirm, this happens even when all iCloud sharing features are disabled. It appears that iCloud generates publicly accessible URLs for PDFs and JPEG files stored in iCloud Drive, regardless of sharing status

 

[Morac]

Do you have enhanced data protection enabled? If so that shouldn’t be possible.

If not it’s probably cached or something.

 

[charbelgt]

I don't have enhanced protection enabled, but this shouldn't need it. Documents stored in iCloud that aren't explicitly shared shouldn't be served on publicly accessible URLs as it appears they are. Pretty certain it's not a caching thing, but curious if anyone else can replicate this.

 

[sers]

Just tried this and can confirm I can copy the URL of PDF stored in my iCloud Drive into another browser that's not signed into my iCloud account and it will display the document.

 

[Morac]

My guess is it’s likely being cached at the server side (aka CDN caching). That’s not ideal, but since the URL isn’t public and the cache will clear it’s probably not a big deal.

If you want security you should enable enhanced security.