On top of being laid off or furloughed, hordes of people have had to figure out how to send a fax while on lockdown. According to Google Trends, in the last month, online searches for versions of “how to send a fax online” have skyrocketed as people turn to an untested ecosystem of online services to digitally submit the paperwork that their state’s unemployment office requires. Yet Gizmodo has found that data supposedly safeguarded by several of these online fax services is often irresponsibly stored and can be viewed by anyone who knows where to look.
Gizmodo identified three separate commercial cloud storage servers containing, in total, hundreds of thousands of faxes from various online services, exposing a vast array of private information. The documents included insurance claims— invoices, government forms, family photos, checks, prescription information, bank account details, and Social Security numbers—were all available for the public to download for years.
While most states allow individuals to file for unemployment benefits online, it appears that nationwide there are a variety of situations where unemployment offices require individuals to fax in their documentation. For instance, in South Dakota, Idaho, and Alabama, an individual trying to appeal a rejected unemployment claim must mail or fax in paperwork. Or if you are a worker residing in California who has earned income in another state, you would need to fax your unemployment office documentation. Online fax services are among the many free or cheap services littering the internet that people might not use in non-pandemic times. The presence of improperly secured data from these faxing services adds yet another concern to these supremely stressful days.
The documents Gizmodo uncovered were all stored in unsecured Amazon S3 buckets. As the name implies, Amazon’s Simple Storage Service (S3) is a file storage service that offers companies or individuals a virtual space, or bucket, to store their data. By default, Amazon keeps buckets private. Yet, time after time, businesses globally have been caught with their pants down after having left millions of their customers’ personal data exposed to anyone who took the time to dig for it.
A ‘Lazy’ Mistake
The pseudonymous security researcher behind the S3 bucket scanning service grayhatwarfare.com attributes this to “lazy” developers. He told Gizmodo over email that developers decide to make buckets public as an easy trick while building and testing a service. (S3 buckets are private by default.) “Many things are forgotten like this when they go live,” he said, attributing some of this negligence to hubris and what he called an “it-won’t-happen-to-me attitude.”
One bucket belonging to a German company contains more than 500,000 faxes, each watermarked with a “FAX-ID” and the company’s logo. According to metadata associated with each file in the S3 bucket, the earliest fax to be stored in the bucket was from 2013, indicating that this problem has persisted for around seven years. After Gizmodo reached out to the company, it appears they made a portion of the faxes private. However, because tens of thousands remain public at the time of publication, we have chosen to withhold publishing the name of the company. The company has not responded to multiple requests for comment.
In a similar instance, Gizmodo found a collection of 70,000 faxes that appears to belong to another online faxing service. While there are several companies that, due to the ambiguity of the bucket’s name, could possibly be its owner, Gizmodo was unable to definitively conclude which company was the culprit. In an email, a company that shares the same name as the bucket told Gizmodo denied any connection to the bucket. The bucket is currently still public.
That hundreds of thousands of sensitive faxes, many of which contain personally identifiable information, remain visible on the internet in spite of our best attempts to reach their owners is indicative of a deeper issue for users who, in a rush to send a fax, may simply use the cheapest and easiest solution available. The issue is that these kinds of services are often a small part of a company’s overall business, which explains why security issues can go unnoticed for years.
The internet is full of side-hustles that entrepreneurial developers quickly cobble together and publish for anyone with an internet connection to use—online fax services are no different. When we identified another unprotected S3 bucket that included a fax where a user’s Social Security number was visible, the developer of the project told Gizmodo, “We have sent a grand total of 1 paid fax with this side project since launching, so was not actively auditing.” The service in question, called FaxOnline.app, which sends a fax for $US5 ($8), has since locked down their S3 bucket and said the issue was a bug in a process that routinely deletes faxes from their server.
Just Hard to Find
Services come and go, and there’s often no clarity or accountability about what happens to that data when the developers vanish. So how do you safely send a fax in 2020 without access to a fax machine? We tested the two top faxing apps on the Google Play store to figure out if there was anything obvious to be concerned about. In doing so, we found an interesting wrinkle in one of the best practices for securing private data online.
EasyFax is the first application returned from a search for “fax” on the app store. While their short privacy policy claims that faxes are deleted after sending, upon attempting to send a test fax through the app, Gizmodo identified a public URL wherein it would be possible for anyone to see our fax if they knew or guessed the URL—a sequence of alphanumeric characters followed by a timestamp. As of now, the test fax (a screenshot of an Instagram post) remains visible at this public url, and the company has yet to respond to our questions.
The second app, succinctly called Fax App, apparently has a similar issue: Previews of our faxes were publicly visible through any web browser (in this case, for up to 72 hours ). However, when we asked Alexey Bogdanov, the founder of Fax App, about this practice, he assured us that this is perfectly normal. He told Gizmodo over email that the public URL containing our fax is actually “private and secure” because only the device that created the fax would ever have access to it.
Indeed, this may be the case for many services where we assume that our private photos are in fact private as opposed to simply being difficult to find. For instance, Gizmodo found that photos sent through a direct message on Instagram on private accounts are also publicly visible if you know the URL—here is a photo of my dog that I sent to a friend over DM.
Security experts Bryan Halfpap and Adriel Desautels of the penetration testing company Netragard told Gizmodo that although these pictures may seem public, this type of behaviour—a technical procedure called URL signing—is widely considered to be as good as private. “It’s like sharing by link with Google Docs or Office 365,” Halfpap told Gizmodo over Signal. “If someone were to guess the URL they could see it, but it’s not technically feasible to do so because it’s too long.”
When we asked the experts at Netragard about how people should safely choose an online faxing service, Desaultels tells us that consumers need to approach every online service with a healthy degree of scepticism. “One of the biggest mistakes that people make is that everyone assumes that companies are doing what is required to protect customer data, he said, adding: “End users of these online services should not just assume that they are secure, but should demand evidence that they are secure.”
Unfortunately, he said, right now it’s up to consumers to do this legwork.