Creative (Attack) Vectors and Expressions of Art

Artist Statement

On the Illusion of Obscurity and the Theater of "Anyone With the Link"

capabilityIRL is a meditation on one of the web's most pervasive security theater performances: the capability URL.

You've seen the promise a thousand times: "Anyone with the link can view." It sounds democratic, frictionless, secure-by-design. No passwords to remember. No accounts to create. Just share a URL, and only the chosen few can access your private content.

But what happens when the link is guessable?

The Illusion of Entropy

A capability URL's security depends entirely on its unpredictability. The URL must contain enough randomness—entropy—that an attacker cannot simply guess their way to your private files.

In practice, this requirement is violated constantly:

"We use sequential IDs, but we Base64 encode them, so it's secure."

"The URL looks like a UUID, so no one will guess it."

"The timestamp makes each URL unique."

These are not security measures. They are cosmetic operations on fundamentally insecure identifiers. Base64 is encoding, not encryption. A UUID format means nothing if the underlying value is predictable. Timestamps narrow the search space rather than expanding it.

The Five-Star Rating

Every security scheme in capabilityIRL receives a five-star rating. This is not satire—it's documentation of reality. Organizations routinely ship these exact patterns to production, confident in their security, unable to distinguish between looking secure and being secure.

The five-star rating asks: what does "security rating" even mean when the assessor doesn't understand the threat model?

Anyone With the Link

The phrase "anyone with the link" does profound rhetorical work. It suggests exclusivity—a velvet rope around your content, admitting only those you've personally blessed with the sacred URL.

But "anyone with the link" is a tautology when the link is discoverable. If I can enumerate my way to your private files, I have the link. If your sharing URL appears in my browser history, I have the link. If your token is logged by any proxy between us, everyone has the link.

Capability URLs transfer the burden of access control from the server to the URL itself—and then whisper that the URL is a secret. But URLs are not secrets. They're bookmarked, logged, shared, indexed, scraped, and guessed.

The Enumeration Experience

capabilityIRL includes a URL Explorer not because enumeration is sophisticated, but because it's trivial. The tool exists to make visceral what should be obvious: if your file is at ?id=5, an attacker's first guess will be ?id=4 and ?id=6.

When you watch the enumerator find file after file, you're not witnessing a hack. You're witnessing the normal, predictable operation of a system that was never secure to begin with.

On Security Theater

Security theater serves real purposes: it reassures stakeholders, satisfies compliance checkboxes, and provides the feeling of protection. Sometimes feelings matter.

But capability URLs occupy an especially insidious space in security theater. They look like access control while providing none. They shift liability to users ("you shared the link!") while offering no meaningful protection. They persist indefinitely, creating sprawling attack surfaces of "private" URLs scattered across email threads, Slack messages, and browser histories.

The Alternative

Capability URLs can be secure—when implemented correctly:

  • Use cryptographically random tokens (128+ bits of entropy)
  • Implement rate limiting on access attempts
  • Provide revocation mechanisms
  • Set expiration times
  • Log and monitor access patterns
  • Consider whether "anyone with the link" is actually your threat model

But these measures require effort, infrastructure, and—crucially—an organizational admission that "the URL is the password" is not a security model but an abdication of one.

Conclusion

capabilityIRL is a functional system that does exactly what it claims: it provides capability URLs for private file sharing. It is also completely insecure by design.

The point is not that you shouldn't use capability URLs. The point is that you should understand what they are and what they aren't. They are a convenience mechanism, not a security boundary. They are a sharing tool, not an access control system.

When you share a Google Doc link, you are trusting that Google has implemented capability URLs correctly—with sufficient randomness, proper infrastructure, and meaningful controls. When you build your own capability URL system, you are taking on that same responsibility.

capabilityIRL exists to help you feel what it's like when that responsibility is abdicated. Upload a "confidential" file. Share the "secure" link. Then open the Explorer and watch it enumerate.

That feeling? That's the feeling your users have when you ship ?id=1 to production.

About CVE.art

Creative (Attack) Vectors and Expressions of Art is a digital art gallery exploring security design through intentionally flawed but fully functional web applications. Each installation embodies a specific security antipattern, pushed to an absurd but internally consistent extreme.

The absurdity is educational: experiencing a broken system teaches differently than reading about it.

Links

This site is an artistic project and is not affiliated with MITRE or the official CVE database.