If it’s using the same technique then it’s a non issue for me.
I would be interested in how the individual found their own passport if URLs are truly obfuscated in the same way as receipts.
Assume they have traced all network calls from their phone?
I think it was in a support chat.
Support gave them the URL?
I thought I read that it was in a support chat. Might be mixing things up.
That’s the tweet I saw.
Hmm. Wasn’t aware of their support tool. Will see if I can find it
That’s going really badly for them at the moment. They have been given multiple opportunites to fix it and haven’t.
The response by the ‘higher up’ staff member was pathetic, failed to ignore the concern and effectively brushed him off, they’re paying for that in the comments section.
What is there to fix?
Form what I can tell it was a tonken link they sent him via support and only way someone else could view it was if he was to share the link
I thought we were living in American then (sorry US folk). I can see the headline now…
“Man accuses bank of data breach, after sharing his completely secure, personalised URL on the internet”…
Joking aside, I can understand the potential alarm if you see your data on the internet behind what would appear to be a public facing URL - But boy, someone wanted to make a big deal out of nothing it would appear.
I don’t know enough about the security aspect behind banks “in the cloud” - Someone said it was likely to do with their use of AWS?
Does Monzo have the same security?
How I expect this to work is that they’re using signed URLs where the URL itself is the authentication key.
In this case this is fine - the URL (the secret in this case) is returned by the Starling API only to authenticated users so no unauthorised access is possible.
There is the issue of the URL being leaked but given that it’s not even supposed to be user-facing I’m not sure how it can leak under normal conditions.
If so, then they might want to look a bit deeper, as AWS gives you a lot of control on how the file is accessed.
So… given my immense understanding of the situation and technology (which amounts to the same understanding I have of Swahili), I take it that you both have the same technology/security here?
Pretty much (from the cursory glance I have given the Linkedin post) You can read @daniel’s explanation of why/how this is secure above
If only someone had linked that earlier…
How long is the Starling URL?