Trawling Gliffy for Sensitive Data

Gliffy.com is a tool that allows you to draw various diagrams ranging from flowcharts to network diagrams. Gliffy has various tiers of membership, the one that we are interested in is the free tier - the limitation of this tier is that your diagrams are marked as read only to the public.

The Issue

When you create a new diagram a unique identifier (ID) is assigned to that diagram, you would think that the ID would be randomly generated, however, this is not the case. All that Gliffy seem to do is increment the previously generated ID by 1, no matter if its a private or public diagram.

If you come across a diagram which is private you get an “Unauthorized” message with a 401 HTTP status code. Also, if the user has removed the diagram and you then try to access the ID, you will get an “Not Found” error and a 404 HTTP status code.

Using these helpful error codes, it is a trivial process to create a script to download any diagram that has not been set to private or hasn’t been removed by the user. Relying on human error, and with the help of Gliffy’s ID generation, let’s see what we can find…

The Results

After a I looked at a few random ID’s, it seemed to be that any diagrams created with a 8XXXXXX ID were first created in late 2014 until 2015, so that’s the range I’ve stuck with. After creating a bash script, running it over a 4 hour period I managed to find and download 3,252 public diagrams from a total of 26,000 ID’s scanned. Initially I cherry picked a few diagrams and the results were eye opening, ranging from full network diagrams to user authentication processes containing username / passwords.

Example 1:

This redacted diagram showed a wealth of information such as:

  • Public IP Address
  • Private IP Address
  • Company Name
  • Company Remote Locations
  • Line Numbers (Ref)

REMOVED

Example 2:

I had to heavily redacted this particular diagram as it was one of most technically rich diagrams from the sample I downloaded.

  • Public IP Address
  • Private IP Address
  • Firewall Rules
  • IPSec Tunnel Information
  • Company branding
  • Company Name
  • Company Remote Locations

REMOVED

The Fix

Don’t use the free account for real world diagrams.

Gliffy could help the situation by not making the IDs so linear. I did contact Gliffy to ask if they had any intention on fixing the way the IDs are generated to reduce this risk, I received this reply:

Hi Jay,

Thanks for using Gliffy. We unfortunately do not have any current plans to change this.

We have voted for it on your behalf in our public forum located here: http://support.gliffy.com/entries/20133138-Make-public-document-URLs-much-harder-to-guess-or-brute-force-attack

We take these requests very seriously. The votes and comments these receive help us to gauge public interest and assist us in allocating resources for future development.

Thank you, Katy

So it appears that Gliffy have known about this issue since 2011 when it was first brought up on there forums. If they haven’t “fixed” it in 4 years I suspect they never will…