Meraki

Community

Floorplan can be visible (before you place the devices) if you know the URL.

Solved
Stoutski1
Here to help
‎Jun 27 2021 1:59 PM
‎Jun 27 2021 1:59 PM

Floorplan can be visible (before you place the devices) if you know the URL.

Hi Community,

 

I found out that when you are uploading a Floorplan and while placing it on the map and you move the floorplan to the addressbar in the browser you get the url of the floorplan.

But this is a public location.

For example I have upload this picture  https://meraki-eu-central-1.s3.eu-central-1.amazonaws.com/assets/605941_d5d20b2344a71a96e5e0849b93ab... 

 

I think this is a security risk because, for example, you can also state the position of the cameras on the floor plan.
before placing them on the dashboard.

 

And I also think you also think that the floorplan is behind a secure page.
 
It is difficult to guess the URL, but it is not convenient for meraki to make it public.
 
should meraki do something about this?
 
Regads,
 
Stefan
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 27 2021 5:58 PM
‎Jun 27 2021 5:58 PM

The filename part of the URL appears to be 40 characters long.  More than likely, that is longer than your password (so stronger than the password you log in with).  That's equivalent to a 320-bit key.  Generally, keys over 256 are considered good.  The key is exchanged over an encrypted tunnel.

 

I think it is ok.

 

If you are keen you could file a bug in the bug bounty program which can earn rewards ...

https://bugcrowd.com/ciscomeraki 

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 27 2021 5:58 PM
‎Jun 27 2021 5:58 PM

The filename part of the URL appears to be 40 characters long.  More than likely, that is longer than your password (so stronger than the password you log in with).  That's equivalent to a 320-bit key.  Generally, keys over 256 are considered good.  The key is exchanged over an encrypted tunnel.

 

I think it is ok.

 

If you are keen you could file a bug in the bug bounty program which can earn rewards ...

https://bugcrowd.com/ciscomeraki 

In response to PhilipDAth
Stoutski1
Here to help
‎Jun 29 2021 1:41 PM
‎Jun 29 2021 1:41 PM

It is is not a bug or vurnability so bugcrowd won't do nothing about this. 

But your right that it is save enough but it is more that you can upload private floorplans that are reachble from the internet without a login.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.