I was recently looking at student assignment in my Blackboard gradebook, when I was surprised to note this new logo in its midst:
When I went to download the student assignment, I found exactly what association "crocodoc.com" had with Blackboard --- it's storing our student assignments:
The terms of service of crocodoc.com can be found at https://crocodoc.com/terms-of-use/; their privacy policy is at https://crocodoc.com/privacy-policy/.
In particular, under "User Content", we find the interesting words:
Although you retain ownership of your User Content, by posting any User Content on the Sites or with the Services and electing to make it viewable by users of the Sites and the Services and others, you grant Crocodoc and its affiliates an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license to copy, perform, display, adapt, incorporate, reformat, translate, excerpt, distribute and in all other respects use such User Content (including without limitation on the Sites and with the Services).
Even more interestingly, "crocodoc.com" is actually hosting this service inside of Amazon's cloud services:
langley@langley ~ $ nslookup crocodoc.com Server:127.0.1.1 Address:127.0.1.1#53 Non-authoritative answer: Name:crocodoc.com Address: 54.225.174.40 langley@langley ~ $ nslookup 54.225.174.40 Server:127.0.1.1 Address:127.0.1.1#53 Non-authoritative answer: 40.174.225.54.in-addr.arpaname = ec2-54-225-174-40.compute-1.amazonaws.com. Authoritative answers can be found from: 174.225.54.in-addr.arpanameserver = x4.amazonaws.org. 174.225.54.in-addr.arpanameserver = x2.amazonaws.com. 174.225.54.in-addr.arpanameserver = pdns1.ultradns.net. 174.225.54.in-addr.arpanameserver = x3.amazonaws.org. 174.225.54.in-addr.arpanameserver = x1.amazonaws.com. x1.amazonaws.cominternet address = 156.154.64.10 x2.amazonaws.cominternet address = 156.154.65.10 x3.amazonaws.orginternet address = 208.78.71.31 x4.amazonaws.orginternet address = 204.13.251.31 pdns1.ultradns.netinternet address = 204.74.108.1 pdns1.ultradns.nethas AAAA address 2001:502:f3ff::1
So, becoming even more curious, I decided to see what information they left with their DNS registrar. It turns out that crocodoc.com's an anonymous GoDaddy proxy:
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: CROCODOC.COM Registry Domain ID: 1583959160_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2012-07-11 15:37:50 Creation Date: 2010-02-02 01:15:30 Registrar Registration Expiration Date: 2015-02-02 01:15:30 Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.480-624-2505 Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Domain Status: clientRenewProhibited Domain Status: clientDeleteProhibited Registry Registrant ID: Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309 Registrant City: Scottsdale Registrant State/Province: Arizona Registrant Postal Code: 85260 Registrant Country: United States Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: CROCODOC.COM@domainsbyproxy.com
2014-09-24 Update: Even worse, I did a capture of the download process with LiveHttpHeaders, and was able to verify that I could use the same URL from outside the browser courtesy of "wget" although any other command-line URL fetch utility would work as well, so this "Crocodoc.com" service (so appropriately named, I think) is vulnerable to unauthenticated replay attacks.
Last update: 2014-09-24