Excuse me, your clouds are leaking
I recently started playing around with Gliffy, a nice online diagramming tool that has become quite popular. Gliffy makes sharing your diagrams with the world easy. Unfortunately, many Gliffy users do not realize that they are sharing their diagrams with the entire world. Some quick Google searches revealed a number of entertaining diagrams.
This data ranges from boring to concerning. I held back a few that I felt were not responsible to disclose. At any rate, this highlights the dangers of using “cloud services” and not educating employees about the inherent risks this involves. Also, some of this is just plain laziness from those who probably know better.
After assuring Google I was indeed a human about a dozen times, here are the highlights:
- A GitHub Migration Map — Author Unknown
- “esecurity” flow chart
- An org chart with salary information
- The “melvyn” flow chart
- A single sign on app flow
- I don’t even know
- qwest.com current architecture solution
- Lubricant Supply Chain
- “Confidential” Application Design Docs
- Another Org Chart
- A Networking Diagram with Passwords
- UI Mockups
- MyBook General Photo Album Confidential API
- A Really Detailed Internal Business Process
- Marketing Plan With $ Figures
- Some Sort of Business Plan
- Music Studio SEO Strategy
- Facebook Ad Campaign Results
- Fax Numbers in a Payroll Process
- Payroll Email Process – Info Disclose
- Another Org Chart
- Another Internal Network Diagram
- ATM Vendor Proprietary Information
- DoD Stuff
- More DoD Stuff
- Even More DoD Stuff (I hope this stuff isn’t classified)
- Another Internal/External Network Diagram
- Hot Sexy Text Chat Mockup
- Zombie Attack Flow Chart
Also, SOPA and PIPA are bad. Please let your representatives know. See: reddit.com for a nice write up.
@bitexploder, @sorcerer13 and @rossja
Post a comment or leave a trackback: Trackback URL.
3 Comments
Hi Insight-folks,
Thanks for posting this. We at Gliffy couldn’t agree more. We have warnings up on our site when someone performs actions that would cause them to share data to the public. Obviously, these have not been sufficient, so we’re going back to the drawing board a little, to improve these notifications. We’d love to hear from you or your readers on how to better keep our users informed of the current status of their data and the implications of their choices, without getting too much in their way.
That being said, it is all of our own responsibilities, particularly when using Cloud apps, to ensure the protection of our data. Thanks for the piece.
Keith Rockhold
Gliffy, inc
What were your search terms?
Did you add them to http://www.exploit-db.com/google-dorks/ ?
@Gliffy — while the IG point of view is people should have known better.. there is merit in trying limit the ways people can screw themselves. I don’t know if Gilffy has done a self-assessment of “how might people misuse, abuse, illicitly adapt, our offering?” I’m betting if your security engineers and abuse team sat down and brainstormed they would have drawn the conclusion that numeric URL scheme without randomization will not end well. That is the kind of thing that could have been identified in a threat model.