SAR Topo map security

thomaschristian's Avatar

thomaschristian

07 Jan, 2020 06:05 AM

As part of a review into SAR mapping options I'm taking a critical eye to all aspects of SAR Topo, as well as other tools, and I'm particularly interested in security & privacy. SAR operations can sometimes contain very sensitive information and attract a lot of public attention.

I was recently involved in a Mutual Aid search where a neighbouring SAR group requested our assistance. The requesting SAR group uses SAR Topo and sent us a link to their incident planning map. I do not have a SAR Topo / Cal Topo account, and the map was not shared specifically with my email address. I was simply given a link via copy/paste.

I had no trouble opening the map (read-only), and I see that the map's unique URL identifier is four alphanumeric characters. Assuming each of these four characters can be 0-9 A-Z that gives 36^4 possible permutations, or 1,679,616‬. That's not very many, and it would be relatively simple to iterate over them all, issue an HTTP request, and retain those that return a 200 response.

Is this an unusual situation, where the incident planning map had not been properly secured, or can anyone get read-only access to SAR Topo maps if they stumble across the correct URL? Also are there any DoS controls within SAR Topo to prevent someone from iterating all possible permutations within a relatively short period of time?

  1. Support Staff 1 Posted by Ben Lantow on 07 Jan, 2020 01:31 PM

    Ben Lantow's Avatar

    Howdy,
    The team sharing the link with you has options on their end of how to secure the link including password protection, completely private (not shared outside team) and secret link (use a link to go to it, 4 letter code doesn't navigate to it). Just having a link can be enough to view a map if set up that way, but other times you need more than that. We're re-writing our privacy policy right now, but the data is secure, and it is not that easy to find/view a map unless the team sets it up that way.

    As for DoS controls I'm not going to directly comment too much on SARTopo security but we don't confirm existence of maps that are secured to standard queries. There's a lot more going on in the background here than you immediately realize as an end user.

    Best,
    Ben

  2. 2 Posted by thomaschristian on 08 Jan, 2020 04:51 PM

    thomaschristian's Avatar

    OK great, thanks for the explanation.

    Is it possible to configure defaults for map sharing, so that a user would have to explicitly disable password protection to share the link in this way?

  3. Support Staff 3 Posted by Ben Lantow on 08 Jan, 2020 06:38 PM

    Ben Lantow's Avatar

    Not at this time. However only managers/admin have rights to change access permissions on the map.

  4. Ben Lantow closed this discussion on 08 Jan, 2020 06:38 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac