The issue was stumbled across by rival file-sharing service Intralinks, which focuses on the enterprise market. Intralinks found when running Google Adwords campaigns that it was receiving links to tax returns, financial records, mortgage applications and business plans stored on Dropbox.
Here’s how I described the vulnerability at the time:
Share link disclosure vulnerability
Many cloud data storage services provide users with a method to share links with others. For instance, when a user creates a shareable link on Dropbox or Box, anyone with that link can access the data. You don’t even have to be a registered user of the service to access a shared link.
If a user, attempting to access the document that has been shared with them, puts the Share link into a search engine rather than their browser’s URL box (an easy finger fumble to make) then the advertising server receives the Share link as part of the referring URL, if the user clicks on an ad.
The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves. It’s clear that for a higher level of security this should be a default way in which the services should work.
As it currently stands, Dropbox and Box share links that were intended for a limited, controlled audience may be disclosed to third-parties.
Intralinks responsibly disclosed the vulnerability privately to Dropbox in November 2013. Sadly, Dropbox said it did not believe the issue was a vulnerability, and six months later, with Intralinks still alarmed at the information it was able to access, Dropbox had done nothing about it.
But ignoring a problem doesn’t make it go away.
Intralinks yesterday published a new article, saying that it was still (almost 18 months after first making the issue known to Dropbox) receiving links to information that Dropbox users clearly did not intend to fall into unauthorised hands.
Here’s an example of one such document that has recently leaked out due to the share link disclosure vulnerability, a tax return:
Intralinks Field CTO Daren Glenister had this to say on the Intralinks blog about the problem:
“Many users clearly don’t know or perhaps don’t understand that even if they don’t actively share a link to a file, an unsecured link could still be uncovered and their files could be accessed. With estimates of well over 400 million users of consumer file sharing apps, this is a significant issue.”
“Conceivably, all file sharing apps could potentially be vulnerable to this issue. Many people don’t use basic security features, like setting passwords. To compound the problem, many people use consumer file sharing apps for both personal data and company data, with no or insufficient security in place.”
Advice for Dropbox users
If you’re using the Business version of Dropbox there’s some good news – there is a security setting available to restrict access to Share Links. Unfortunately, there is no such option for the free version of Dropbox used by the vast majority of the company’s users.
If you use the free version of Dropbox, you should not use the Share Link facility as it could be leaked to a third party.
And, finally, don’t forget to delete or disable Share Links after they are no longer required.
For more advice on how to protect your private information on file-sharing services, check out the Intralinks blog post.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.