[giancarlostoro]

> I've curious how there was a security hole when a client opted out of requiring auth? If the client wants them publically available then there was no security hole.

Its possible they wanted the link to be easier to share with very specific people, but not necessarily be something found on bing.

[noja]

Because the user expectation is that a browser won't leak their private URLs to a search engine?

https://www.example.com/id/0ca6ade6b2bb1eea371d0b029f552cee/... may be "public" in the sense that it is accessible if you know the URL.

[chasd00]

isn't cases like this where the saying "security through obscurity is no security at all" came from?

[ghusbands]

Not really, no. That came about more from people claiming to have good security, but not disclosing their security practices and many of them turning out to be rather insecure.

Many products (Google Docs, Youtube, Office 365, Dropbox, etc) allow sharing things via unguessable URLs; it's a standard practice that was safe, until browsers and browser extensions decided it was okay to send private URLs to other parties.

I would not be surprised if the EU steps in at some point and fines them heavily for it.

[908B64B197]

I don't think people understand what "public" on the internet means.

If the specific people can get to it without auth, so does everyone else.

[ghusbands]

There are a large number of services (Dropbox, Youtube, Google Docs, Office 365, etc) that use unguessable URLs for sharing and hence clearly don't share your idea of what it means to be "public" on the internet.

[dredmorbius]

"Unguessable" presumes "not leaked in the course of typical access", which seems to be an increasingly invalid assumption.