BIM360 security hole
So it turns out that if you download a file from BIM360 (any file, PDFs, IFCs, Revit files) the download link it generates is publicly accessible and doesn't require any authentication. Here's an example:
UUID collision is obviously very low, but just a heads up don't share these links since the public can access them. It's pretty unlikely but probably worth mentioning. I don't know if these links expire either, so we'll find out.
Comments
Not found now
{"reason":"Signed Resource not found"}Yes, it seems to have an expiry period, which makes sense :)
Timeout is just 1 hour, and it generates a different UUID for the same file for a new download, even when the old url is still available
@infeeeee yes that matches my observation too.