Expensive Lessons Learned Running A Free File Hosting Web Service
Towards the early part of 2017, I embarked on creating a bunch of quick single-purpose web applications to keep myself busy and sharp. One of those apps was a temporary file storage web application called Tempfile.cloud.
The premise was simple: you get 1gb of free upload space and your files have an expiry of 24 hours.
I threw some advertisements on there and then shared it around. Surprisingly, it got some traffic. Turns out file sharing sites not covered in malware-laced banner ads/widgets, require you to signup and have no Russian tracking scripts resonate.
I did the numbers and the cost of storing even a few hundred gigabytes of files was going to be cheap on Amazon S3, both the bandwidth and storage costs. Using an S3 bucket policy, I was able to automate the deletion of files after 24 hours.
The site didn’t really generate any income for me and it got a few thousand visitors per month, people were using it. Costs for the first few months were not even $1 and the ads (whilst not very profitable) were covering the costs (and then some).
Then one month it all changed… I got my monthly Amazon bill and almost had a heart attack. My beloved sub $1 application just netted me a bill for almost $500 for just one month.
I immediately went to Amazon thinking it was some kind of mistake that my bill had jumped so much.
Once I realised it wasn’t, I then started digging. Did I all of a sudden start to get more users because people loved the product, was my site being used as a new Pirate Bay replacement or the next Wikileaks? I had to know.
The traffic stats were not showing a spike in new users, I didn’t make it to the front of Reddit, Product Hunt or Hacker News. Turns out a few standard definition movies had been uploaded, that’s just where it starts.
Digging even deeper, I realised that not only were movies being uploaded, but my site had inadvertently become a movie streaming platform and a couple of videos shared on a forum. Thankfully these were not dodgy movies (I log IP’s anyway).
It turns out I had failed to enforce uploaded files are to be downloaded by the user. This meant I had created a site where you could upload any type of file and then hotlink it (for 24 hours). Movies and music, anything you can stream. I had just created a Netflix for piraters, without the discovery UI.
The lesson here is, if you’re going to allow files to be uploaded and you’re not restricting the type (like me), make sure you enforce a policy which always forces the files to be downloaded. Otherwise, you could be drowned in a sea of expensive bandwidth fees.
The story didn’t end badly for me though. Kudos to Amazon, when I reached out to them they wiped the entire bill and understood that it was a mistake (even if it was my fault). They didn’t have to do that, but I am grateful that they did.
As for the site. It is still up here – however, file uploads are disabled. I am planning on re-enabling them shortly once I sit down and make sure this kind of thing doesn’t happen again.