Stupid access to cloud from another computers
Because of the ransomware protection, I moved from standard multi-PC licenses (which I upgraded every time) to subscription. What a stupid decision. In the past I activated the license on every single PC by license key, now I have to use my login. Every user of such computer can now access my cloud storage and do whatever they want. In a nutshell: I backup my data to cloud and my kids can download all my data and even delete it. Thank you very much, this is really what I want.
Petr Zahradnik
Hello Slava,
Thank you very much for the reply. Yes, I know that I can define password for my backup. But another users can delete my backup without any problem. In other words, children can delete all files in the cloud. Cloud storage is unusable for me. Absolutely.
It would be enough to require the login credentials for online control panel. Automated login for multiple computers is security hole.
Petr Zahradnik
Hello Slava,
Thank you very much for the reply. Yes, I know that I can define password for my backup. But another users can delete my backup without any problem. In other words, children can delete all files in the cloud. Cloud storage is unusable for me. Absolutely.
It would be enough to require the login credentials for online control panel. Automated login for multiple computers is security hole.
Petr Zahradnik
Petr...
1) Where does the dashboard allow someone to delete a backup or access the content of it? You can delete a client from the dashboard, but it does not delete the backup or give access directly to it. See screenshot.
2) If you click on the backup tab from the icon, it does log you into your account (which you're logged into through the app if you're using the dashboard). HOwever, if backups are password protected (which hopefully they are), you must enter the password to even open the backup, let alone delete it.
3) Acronis can only be launhced under a local admin account. Why would you give a kid administrative access to your computer where they could just as easily start deleting files from the computer with such access? If they had a non-admin account, they won't be able to launch Acronis or the dashboard.
4) Biggest security hole I can think of is giving multiple people administrative access to your local computer where they can mess with any local files or applications that have other types of data or access rights as welll. As for the dashboard, specifically - the dashboard itself won't allow someone to delete cloud backups if they are password protected and/or access to the dashboard is limited via local computer access permissions as well.
That said, I do think it would be better security to prevent dashboard access with the prompt of the account password as well. The main account holder may be in one locattion, but anyone who can launch Acronis wiht admin access can get to the dashboard and delete the system (not their backups) so they could no longer be managed in the dashboard. The thing is though, you can do the exact same thing by launching Acronis and deleting a backup from the local GUI - so again, using good local computer account permissions would be ideal for preventing that too.
Hello Slava,
1) See attached screen. Anyone can delete any backup.
3) I am administrator of my computer, of course. Nobody else has access to my computer. But others have administrative access to their computers. So, they are able to delete all backup files in the cloud storage with new version of Acronis True Image.
4) No. Others have administrative access to their computers. That is not corporate network with the need for restriction.
There is problem with automated login into online control panel. I have subscription for 5 computers. So, Acronis True Image is installed on 5 computers. But all 5 users on these 5 computers are automatically logged into online control panel with all backup files.
Petr Zahradnik
I take it you have saved your credentials in the browser or keep cookies for browsing sessions? I have cookies and browser session set to remove these by default for all Internet surfing to ensure passwords are always required. Even then though, during the same session, I can only make a change after I provide the credential first. If I go back to the main menu, I must enter credentials again.
I installed Acronis True Image on second computer. I used no browser. I inserted Acronis account information (login, password) into Acronis True Image in registration process to activate software license. Browser is opened by mouse click on online control panel button inside True Image Software. And, user is logged in automatically.
Petr Zahradnik
1) did you set a password on your cloud backup task to begin with? Are you prompted for a password when accessing the backup from the Acronis application directly - not through the dashboard.
2) if you do get promped for a password in the app, but not the online dashboard, did you let the browser save the password at some point? Clear your browser saved password and clear the history and cache. Then close the browser down completely and launch again. You don't need to enter a password when accessed from the dashboard to log into the cloud account. Bit if you set a password on the backup should get prompted for the password then - this is the same behavior as the app.
There is no problem with password for backups. There is problem with autologon to online control panel from Acronis True Image application. No password was inserted into the browser.
Petr Zahradnik
I see the very same thing as Petr Zahradnik do.
I use subscription as well and on my laptop i can easily access/recover and delete encrypted cloud backups made on my desktop computer without having to type any password despite that the cloud backups are indeed encrypted. I can do the vice versa as well.
I don´t know if it is related to this: https://forum.acronis.com/forum/128812
id suggest both of you contact tech support and work with them. You're the first to report this. I cannot reproduce, not on 2017 8029 or on 6116 from different machines.
are you 100% sure there is a backup task password too? Like when you go to edit the task in the app directly, you are getting prompted for the password? And both of you did check browser saved passwords and cleared all of your previous previous browsing cache and history - including that of favorites if using I.E. since there is an additional option in i.e. To keep those unless you unch close it.
im not debating that it logs you right into the cloud account. I really don't see that as an issue if you've logged into the app since you can do the same from the app to delete as well and would need admin access to the pc to launch the Acronis app to set to the dashboard.
but yes, if there is no password on the backup in the app, then there's not one in the cloud either since you have to set that password up before you ever run the backup. This is where I get prompted for the password before I can do anything else with the backup- even delete. I get asked to enter the backup password here.
my hunch, which may be wrong, is that your browser has details saved from a previous browser session which has stored the backup paaaword if you provided it before. Especially if using something like RoboForm if you don't put locks on that.
so 1) make sure you're prompted in the app for the password if you try to edit it and report back
2) clear browser history and cache completely and close the browser completely and test again using dashboard after that and report back
3) if that still allows you to access with a password from the browser via dashboard without providing a password open a support case because there's. Itching else we can do from the forum to help with an authentication error or problem. You'd need to work with Acronis support directly.
are you 100% sure there is a backup task password too? Like when you go to edit the task in the app directly, you are getting prompted for the password? And both of you did check browser saved passwords and cleared all of your previous previous browsing cache and history - including that of favorites if using I.E. since there is an additional option in i.e. To keep those unless you unch close it.
I do already have an open case regarding the issue in the thread i posted. (#02926482)
Yes, 100% that i have password protecded backups. :)
No, i am never promted with a password when editing or recovering encrypted backups, local and cloud.
my hunch, which may be wrong, is that your browser has details saved from a previous browser session which has stored the backup paaaword if you provided it before. Especially if using something like RoboForm if you don't put locks on that.
The browser/settings/cache/saved passwords are irrelevant in this case since TI2017 signs in automatically. IOW, TI2017 sends the username and password to the browser without any input from the user.
What kind of license are you using, perpetual or subscription?
The browser is not irrelevant here. It's a two step process. The first login to the account via the dashboard would be irrelevant since the application is passing on the credentials you already supplied to the Acronis application and those are being forwarded on from the dashboard to the browser. However the second part that is not irrelevant, is if the backup is also supposed to be password protected. That would be a second instance of needing to provide credentials again and could be saved in the browser as a saved password or in the current sessions cache from entering it at some other point in time. Remember you're using a browser at this point now so if you keep the cache and history forever and credentials don't change, it can keep using that information.
However, as you're not being prompted for a password even in the app, that would be the issue. I am using a subscription and tested with 8029 and 6116 NG. 8029 has a bug that does not require a password in the app to make changes to local backups, but I'm still prompted for the local password on all existing cloud backups and any new test cloud backups. Only local backups are impacted with this bug for me and only with 8029. There are some other threads about this and the others experiencing it all reported the same behavior for local backup passwords, but still needing to enter a password for all cloud backups.
As another test, I suggest you create a new cloud backup with very small data - like one txt file or something. Before you run the new test backup make sure it is set to use AES encryption and a password - specifically type one in, even if it looks like something is already in the box. Run the backup. Clear browser cache, history and any Acronis saved passwords in the browser. Reboot for good measure. Log in and launch Acronis and then the dashboard. Immediately connect to the new test backup and see if you're prompted for a password or not. If not, try to delete the test backup and see if it prompts for the password then or not.
The browser is not irrelevant here.
But if it is not, why can i install switch my default browser from Firefox to either IE or Edge and still be logged automaticallt by TI2017 eventhough i have never used either IE or Edge on this computer? To me that´s a clear indication that the browser is irrelevant and that the user name and password is sent from TI2017 directly to the default browser.
For me as a single user this is auto-log-in is not an issue, but i can see that it can be an issue for users like Petr. What i am not comfortable with is that i can delete encrypted cloud backups without having to use the password.
As another test, I suggest you create a new cloud backup with very small data...
That´s how i test it and yes i type in a password.
FYI, i have been using password for all my backups for two decades so i am familiar with the process and am aware that i create encrypted backups. :)
OK - no belittling intended - honestly there are all walks of computer life here in the forum and you'd be suprised how granular we have to get with some people due to a basic lack of knowledge of basic PC functionality - no way for us to know or guess and am trying to pull information along to make the picture clearer since we can't see what you're experiencing.
I don't have anymore to offer and hope that your support case either identifies a bug that some may experiencing in their specific setup or something with the cloud. The fact that you're not even getting prompted for the password to modify the task from the local application GUI - is the most troubling to me. It seems like if that was working, the cloud password would too - I am prompted for my password in both locations (local GUI modifying cloud backup task and the browser once the account is logged in via the dashboard or manually using https://cloud-wr-us1.acronis.com/index.htm) on multiple systems with 2017 NG 6116 and standard 8029 so just can't replicate what you're experiencing despite my best efforts.
Why you're not getting prompted for your password in either case seems to be the real mystery and short of attempting a cleanup, since a new cloud test seems to produce the new behavior, I've got nothing. Curious to see what the support case turns up.
BTW - you never mentioned what version of the appliction you have installed other than 2017 - what revision?
BTW - you never mentioned what version of the appliction you have installed other than 2017 - what revision?
I am using TI2017 #8029. :)
I am using the latest Acronis True Image New Generation, version 2017, build 6116. It is subscription and must be activated by login credentials for Acronis account. So, when I click to online control panel button, software opens browser:
https://trueimage.acronis.com/?jwt=xxxxx
And xxxx contains login credentials. It causes automatically login into online control panel. From any computer where True Image is installed.
Petr Zahradnik
Petr - I see the issue now. This is not just the cloud, but also local backups.
Password is required if you want to click on the backup to edit the task, open the task, etc. - can you confirm that as well (or not).
However, if you just click on the cog wheel in the cloud and go to delete - no password is required and it deletes - which is what you've been stating all along.
Likewise, before deleting in the Cloud, you can also test the same in the local application. If you access the backup from there, you are asked for the password if you want to edit the task, navigate it or recover from it. However, if you click on the drop-down to the right of the name and selecte "delete" it simply just deletes the backup without the need for a password.
I see it and can re-produce this behavior in both versions of 6116 and 8029 as well.
Basically, I don't think it has anything to do with the password at all - this function doesn't seem to need the password to delete and probably should.
As an FYI - anyone with access to your local computer (an adminitrator) can go to the local backups and delete them from file explorer without using Acronis. If your kids have access to this account, your local backups, as well as any other data or files on your computer, are at risk, simply through Windows permissions and having local access to your computer. I do believe that if a backup is password protected, that the password should be required before you can click the delete button too. Perhaps there is some reasoning here though - like if I forget the password or someone else creates a cloud backup with a password and no one knows it, we wouldnt' be able to delete them at all if it did require that password.
I will submit feedback to Acronis - this could be looked at from both sides though - not secure because it can be deleted once the account has been logged into (althoguh the data itself is secure from prying eyes).... OR what if we forget or fat-finger the password and can't get into the backup, but also then can't delete it since we don't have that password?
Password is required if you want to click on the backup to edit the task, open the task, etc. - can you confirm that as well (or not).
I don´t need the password to edit or open the encrypted cloud backup.
Right , we've addressed that earlier. Your setup/install appears to be bad for some reason. The GUI in windows should be prompting for the password to modify any password protected cloud backup. We also addressed there is a bug in 8029 that does not require password to edit local tasks at all (noncloud), but cloud should be. There are a total of 2 of you in the forum stating no password needed to edit a cloud backup. Something is wrong, but why only you two so far?
i don't have the issue and can't reproduce it. I've tested on my daily pc with 6116 and my daily laptop with 8029. Ice built 2 new vms and tested 8029 and 6116 with clean installs and cant reproduce either.
i without having the issue, and attempting to produce it, I'm spent more time trying to help you than you've actually spent testing yourself to repair or fix. Really don't know everything you've done to try to resolve or how, but hope that support can find something for you if you've opened a support case and submitted your system report. Sorry I can't help anymore in your unique situation. Best of luck.
Do you really think that i want to blame you for this? Your answer is plain retarded.
Good luck. Your forum etiquette surely will require it if you're hoping for others to offer their time to help. I told you to work with tech support and I'd still say the same as I won't be back to this thread again.