Earlier today I reported how users of file sync and share services like Dropbox and Box.com could have their sensitive information exposed to Google advertisers.
Dropbox was contacted yesterday by the media, investigating the claims being made by Intralinks – a file sharing and collaboration service for enterprises – after it revealed that it had stumbled across individuals’ mortgage applications and income tax returns that should surely have remained private on Dropbox.
Dropbox responded last night with a blog post saying it was addressing the vulnerability and that it was “unaware of any abuse of this vulnerability”.
But what worries me most is this.
Intralinks tells me that it privately informed Dropbox that data was being leaked via the shared link vulnerability in late November 2013. That’s over five months ago.
At the time, this was the response that Dropbox offered:
Thanks for writing in to us.
We don’t believe that this is a vulnerability. If someone accidentally shares a private Dropbox link it can be disabled at any time from the Dropbox website, on the Links tab.
For months, nothing happened.
In short, Dropbox dropped the ball.
It was only when Intralinks decided internet users needed to be warned of the potential risks, and got in touch with me and BBC News, that Dropbox stirred into action.
Here is the blog post that Dropbox published last night:
Even then, Dropbox are only responding to the hyperlink disclosure vulnerability, *not* the Google Adwords-related issue I describe in my blog post.
I think it’s a pretty sad state of affairs that months can pass, and the BBC has to be called in, before a service like Dropbox takes seriously a security concern impacting the privacy of its users.
PS. Meanwhile, has anybody heard any comment at all from Box.com who were affected by similar issues? I mean, at least Dropbox said and did *something*.
(Although in fairness to Box.com, at least their free version offers the option of more secure sharing than Dropbox’s free edition allows.)