PDF files link security issues & how to share PDF links securely
Learn the best practices for secure sharing of PDF links, why cloud storage security isn’t sufficient for sensitive or confidential documents, and how to share PDF links securely.
To most enterprise users, sharing a PDF via link just makes sense. Links are a quick and easy way to share information that is stored on a server whether locally or in the cloud. Security doesn’t seem to be an issue either, with various PDF link sharing services promising protection from unauthorized access, preventing of downloads and expiring links.
As you will have gathered by the title of this blog post, however, there are some serious risks associated with this practice that you should keep in mind.
How do you share a PDF as a link?
Before you can understand the risks associated with PDF link sharing, you need to understand roughly how it works. There are several different ways to share a PDF as a link, but the most common is by uploading the file to a cloud storage service and then sending the link to the file to others.
To give you an idea of the process, here’s how to share a PDF link via OneDrive:
- Upload your PDF document to the service.
- Press the share icon next to its name.
- Press “Copy” next to the “Copy link” heading.
- Paste the link into a message/email.
Users you share the PDF link with will then be able to view and download the PDF document just like they would if you sent it as an attachment. Though we use OneDrive as an example here, it works almost identically when sharing Google Docs or files from DropBox, WeTransfer, OneDrive, Box, etc.
PDF link sharing and security issues
You may be thinking that there’s nothing particularly egregious about the process above from a security perspective. And if you’re just sending non-sensitive documents to friends and family, you may well be right.
However, documents often flow through an enterprise that could cause damage if they could fall into the wrong hands. This could be something seemingly innocuous like an early product roadmap, but it may also include board minutes, financial reports, customer records, etc. In such cases, it’s not a good idea to share a PDF link without additional protection. There are many reasons for this:
7 reasons why sharing a PDF as a link is not safe
- The recipients you send the link could intentionally or accidentally share the link with others. There is usually no logging of who has accessed each link.
- Users who have left your company often still have access to your PDF document, as most services don’t expire links.
- The cloud service you upload the unprotected PDF could be hacked and your document extracted.
- If the link doesn’t use a long and randomized identifier, an attacker can guess or brute force the link. This is a particular issue with services like Box, which let users customize their URL, or if you are hosting the file on your own website.
- Providers or website admins may misconfigure their robots.txt, allowing PDF links to be discoverable on Google.
- Once somebody has the link, they can download the unprotected file and share it that way. They can also print or edit PDF files that have been saved locally.
- Links are not safe. The number one way users are tricked into divulging sensitive information is via link phishing attacks. Once a user clicks on the link, they are directed to the malicious phishing page. This can be designed to steal a user’s credentials or other sensitive information under the guise of updating a password or verifying a user’s identity. Alternatively, the site may provide software for the user to download and execute (otherwise they are told they can’t download the file) that is actually malware.
PDF link sharing, then, is essentially security through obscurity (STO) – you’re betting that those who shouldn’t have access to a document won’t discover the link. But most in the infosec community agree that STO should only be used as a security layer, not a primary method. As you can see from above, there are simply far too many ways that obscurity can be broken to call this secure. And the malicious link issue is definitely one to take seriously.
Improving PDF link security
There’s good news and bad news when it comes to PDF link sharing security:
- The good: Though PDF link sharing offers poor security in its base form, it can be built on.
- The bad: The additional security offered by most cloud storage providers or PDF link generator sites isn’t very effective.
Let’s take a look at the five main ways people add extra security to PDF links.
1. Link expiry or expiring PDF links
One way providers try to limit the sharing of links with unauthorized parties is through expiring or self-destructing links. The idea is when you share a PDF via link, that link will expire either after a certain date or a number of opens. This theoretically makes it harder for recipients to maintain access after their employment has ended or share the link with others.
A link that expires after its first use may help to prevent recipients from accidentally leaking PDF document links, but any intentional leaker will download the file instead. Employees that have left a company are also likely to have already downloaded files that have expiring links, as they usually need to do this to work on them properly. So expiring links are pretty useless – the PDF document does not expire, just the link to access it, and once downloaded it can be given away.
2. PDF password protection
Secure PDF link services such as Flipsnack, Sizle, etc. add an additional layer of security to PDF links by allowing the sharer to add a password or PIN that must be entered before access is granted. Password protected link sharing provides some protection against accidental link discovery or sharing (the attacker must find out the password as well as the link), but not as much as you might think. A password with 7 characters consisting of numbers, lowercase and capital letters, and symbols will take a powerful data center machine just 6 minutes to crack. That is, of course, assuming that it’s completely random and does not include any words in the dictionary (which is usually not the case).
As for intentional sharing – well, passwords are useless. The link recipient can just share it along with the link. And then there’s the issue of management. You need to find a way to securely communicate the passwords to recipients, provide support for them should they forget that password, make sure they store passwords securely and that they’re changed when somebody leaves the organization. And still none of this stops users from downloading the PDF document and storing it locally.
Another option is using Adobe Acrobat to add a PDF password before uploading the file. But Adobe PDF passwords can be guessed or shared like any other (or just simply removed) and you have no way to change them after the PDF has been distributed. And if you were thinking PDF permissions or restrictions might provide some additional protection then think again – they can be instantly removed using free online tools.
It is also worth considering the practices you are normalizing by adopting PDF link and PDF password sharing. You are making clicking links to documents in emails a day-to-day activity which threat actors readily exploit. For example, to circumvent email filters, Russia’s Star Blizzard hacking group uses links to password-protected PDFs hosted on cloud-based file-sharing platforms. These malicious PDFs execute malicious code to enable phishing attacks and other hacking activity.
3. Limiting access to verified accounts
Google Drive, OneDrive, and other cloud storage services usually offer the option to make the link work only for the user accounts you specify. This is an improvement, but it requires that the recipient has an account with that service and that the account is secure. Additionally, any user that wants to share a document can still download it or share their account login with somebody else. It’s not much better than password sharing. To give you an idea about Google Drive security, see Is Google Drive Secure?
4. Preventing PDF downloads
A major flaw with all of the link security mechanisms mentioned so far is that there’s nothing to stop authorized users from sharing a PDF with others who are not authorized.
One way to prevent this is to prevent download of the PDF and instead display it in a browser. To address this, some secure file sharing providers have implemented additional browser-based document controls to stop downloading, printing, editing, or copy and pasting. These are used in combination with passwords, 2FA and other user account restrictions to restrict PDF access.
5. PDF DRM
PDF DRM takes a different approach to the solutions mentioned already. The sender protects the original PDF file before they upload it to a cloud service, encrypting it so that it can only be opened in a dedicated app. A strong solution would also pair this with a licensing system, that ensures PDFs can only be opened on devices that have been previously authorized.
Provided the solution is well-implemented, PDF DRM offers strong security that can effectively prevent intentional and unintentional sharing, as well as editing, copying, printing, and screenshots.
How to share a PDF as a link securely
Locklizard Safeguard uses a combination of encryption, secure and transparent key transfer, and a secure viewer application to ensure that PDF files can be shared securely. They are locked to authorized devices (and locations if required), and are protected against unauthorized opening, editing, printing, copying, screenshots, and sharing.
Here’s how to share a secured PDF:
- Right-click on a PDF file on your computer and press “Make Secure PDF”, then choose the DRM controls you want to enforce in Safeguard Writer. Optionally, add a dynamic watermark that will display the user’s name. This will deter them from taking pictures of the screen with a secondary device.
- When you press “Publish”, your secured PDF is saved to your disk as an encrypted file, and a document record is created on the Admin System.
- You create a user account for each user you want to view your secured PDF by pressing “Add” in the “Customers” tab of your admin system. An email is automatically sent to the user with a link to the Viewer and their license file.
- Once the Viewer is installed and the license file activated (clicked-on) it is locked to that device and cannot be used elsewhere (unless you allow this).
- You control from the Admin System which secured PDF each user can access.
- You distribute your DRM-protected PDF file just like any other file – by uploading it to a cloud service or website. It does not matter where you host it or if the link is public, as only authorized users with a valid license file will able to view it.
- Alternatively, you can press “Protect to WEB..” after the PDF has been protected. You can then send users a link to the protected PDF so they can view the document in the Locklizard Web viewer using their browser.
Your protected PDF can only be opened by someone who has been authorized to view it. Depending on your DRM controls, it also cannot be printed, edited, copied, or screen grabbed. Sharing is always prevented since the recipient must be authorized to view the PDF – if they are sent a link to a protected PDF but aren’t authorized to view it, then it will not open. You can also automatically expire PDFs based on their age, number of opens or prints, and instantly revoke access. This is useful if an employee leaves the company or switches roles.
The best way to securely share a PDF via link
Locklizard Safeguard offers vastly improved security for PDF links and secure PDF sharing when compared to other solutions on the market.
You can protect your PDF before upload (so it is always secure) and you gain the ability to share links to PDF files without worrying that the PDF documents at the end of them can be viewed by unauthorized recipients. You also gain the capability to prevent editing and printing, lock documents to specific devices, locations and IP addresses, add dynamic watermarks to identify users, expire documents, instantly revoke access, and more.
How do I turn a PDF into a link?
To turn a PDF into a link you can upload it to any cloud service and press the “Share as link” button. Alternatively, to create a file share link you can upload your PDF to a web site and provide a link to a web page or a direct URL link to the PDF.
However, it is important to understand that this is not a secure way to share a PDF and this is likely to lead to them being leaked to unauthorized users. To prevent PDF sharing with unauthorized users, you should consider protecting the PDF with a DRM solution before uploading it.
Is Google Drive link sharing secure?
If using Google Drive in a business, you should always ensure that files are shared with accounts rather than just via link since anybody with a link can access them. See Google Drive Security for more info.
Is Google Docs link sharing secure?
As in Google Drive, it is not secure. Allowing anybody with the link to view the document poses a significant risk – they can easily bypass the copy protection and share it. Our blog on Google Docs Security covers this and other issues.
How do I create a URL for a document?
The easiest way to create a URL link or web link for a document is to upload it to a cloud service or your own website. However, you should be aware that any non-random URL has a much higher chance of being discovered by hackers. If you want to share a file link privately from your web site then make sure the URL cannot be indexed by search engines so it is not publicly available.
Does Locklizard protect other document formats?
Locklizard only protects documents in the PDF format. If you want to protect spreadsheets (xls, xlsx), Word documents(doc, docx), PowerPoint (ppt) or image files (jpg, png), then you will need to save them as a PDF. See How to convert a Google Doc to a PDF and How to convert Word to PDF for more information.
What is the difference between a PDF to Link generator and cloud storage?
Uploading a document to a PDF to link generator or PDF to URL converter is functionally the same as uploading it to a cloud storage server. The website provides you with a randomized URL that links to the location the file is stored on its servers. Clicking the link either downloads the PDF or opens it in a web browser.
However, one important difference is that major cloud storage providers such as Google, Microsoft, Box, etc. have built up a reputation for server security over many years. Many PDF link generator sites have not. You should be careful about whose servers you upload your PDF files to if they are not encrypted and especially if they contain commercially sensitive or confidential information.
Can I make a link to a PDF file expire?
Yes, you can create a file share link with expiration (i.e. a temporary link), but if the user has already downloaded the PDF then it is worthless since only access to the link expires and not access to the PDF file.
With Locklizard, you can expire the PDF file itself rather than the link to it. You can expire the PDF on a certain date, after a number of days from first open, after a number of views and/or prints. Once the PDF file has expired it can no longer be opened and viewed.
Can you use WordPress for secure sharing of PDF files?
There are various plugins to WordPress that enable you to add a password to PDF files, restrict access to logged in users, expire PDF file URLs, or embed PDF files in a Viewer to prevent download.
What is the best way to securely share PDF files?
We cover this comprehensively in our blogs on How to share files securely and How to send PDF files securely. You can share files securely with a link as long as they are protected from unauthorized access and misuse.
How do I create a Google Drive share file download link?
Press the three dots next to your file and choose “Share > Copy link”. Just be aware that this is not a secure way to share sensitive files.
How can I share files with a link using Box?
To use Box to share a file with a link, press the “Share” arrow and then click “copy” at the bottom of the window.
How do you share a Dropbox file link?
You can use Dropbox to share a file link by hovering over the file in pressing “Copy link”.