Readers with good memories will recall a worrying privacy hole was found in Dropbox after publicly accessible links to private personal information stored on the service leaked out to unauthorised users.
The issue was stumbled across by rival file-sharing service Intralinks, which focuses on the enterprise market. Intralinks found when running Google Adwords campaigns that it was receiving links to tax returns, financial records, mortgage applications and business plans stored on Dropbox.
Here’s how I described the vulnerability at the time:
Share link disclosure vulnerability
Many cloud data storage services provide users with a method to share links with others. For instance, when a user creates a shareable link on Dropbox or Box, anyone with that link can access the data. You don’t even have to be a registered user of the service to access a shared link.
If a user, attempting to access the document that has been shared with them, puts the Share link into a search engine rather than their browser’s URL box (an easy finger fumble to make) then the advertising server receives the Share link as part of the referring URL, if the user clicks on an ad.
The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves. It’s clear that for a higher level of security this should be a default way in which the services should work.
As it currently stands, Dropbox and Box share links that were intended for a limited, controlled audience may be disclosed to third-parties.
Intralinks responsibly disclosed the vulnerability privately to Dropbox in November 2013. Sadly, Dropbox said it did not believe the issue was a vulnerability, and six months later, with Intralinks still alarmed at the information it was able to access, Dropbox had done nothing about it.
But ignoring a problem doesn’t make it go away.
Intralinks yesterday published a new article, saying that it was still (almost 18 months after first making the issue known to Dropbox) receiving links to information that Dropbox users clearly did not intend to fall into unauthorised hands.
Here’s an example of one such document that has recently leaked out due to the share link disclosure vulnerability, a tax return:
Intralinks Field CTO Daren Glenister had this to say on the Intralinks blog about the problem:
“Many users clearly don’t know or perhaps don’t understand that even if they don’t actively share a link to a file, an unsecured link could still be uncovered and their files could be accessed. With estimates of well over 400 million users of consumer file sharing apps, this is a significant issue.”
“Conceivably, all file sharing apps could potentially be vulnerable to this issue. Many people don’t use basic security features, like setting passwords. To compound the problem, many people use consumer file sharing apps for both personal data and company data, with no or insufficient security in place.”
Advice for Dropbox users
If you’re using the Business version of Dropbox there’s some good news – there is a security setting available to restrict access to Share Links. Unfortunately, there is no such option for the free version of Dropbox used by the vast majority of the company’s users.
As a result, the recommendation for Dropbox users has to be to use the Business version of Dropbox rather than the free one if you share sensitive data via the system. Then, set up the appropriate Share Link security settings to protect your data.
If you use the free version of Dropbox, you should not use the Share Link facility as it could be leaked to a third party.
And, finally, don’t forget to delete or disable Share Links after they are no longer required.
For more advice on how to protect your private information on file-sharing services, check out the Intralinks blog post.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “Dropbox users continue to unwittingly leak tax returns and other private data”
I did something similar as a proof of concept, it was a different cloud file sharing site, that used shorter 'random' links. A script would make a random URL of X length, and try to download something. If a payload was found it would download it, save if for later review, then try another URL. All sorts of personal data can be uncovered this way, including official documents. People clearly do not understand what they're 'sharing' when they pass a URL to a friend/co-worker/etc.
Disclaimer: I reported this, and included the source of the script, to the company in question. They thanked me, but ultimately didn't fix it.
www.fileapartment.com has an option for "one time share" which after one-time download it is not available anymore.
Perhaps. But link not available doesn't necessarily equate to permanently erased. That should not be forgotten. This has been shown many times over the years, even for very similar things. Is snapchat the app that allows someone to send a picture and it only exists momentarily? Whatever the name, not only is it possible for someone to grab a screen capture (obviously), services have been known to keep them for some time, and then this is discovered later (with really bad end results, including revealing – and in THAT way – images of kids, in a huge cache of supposedly deleted photos).
So yes, this (I refer not to snapchat but – I find the idea rather troubling because it sets some people up to give in to temptations, far too easily – limited access in general [which is different than 'one time share', at least without further evidence to the contrary]) has some use for some things (depending on how it is implemented) but there is still a risk with services claiming things like 'one time share', and it should be kept in mind (should always be kept in mind, of course, but these types of things give a false sense of security, which increases the chance of risk taking, risks that can be a very bad thing) – if you're only sharing it because it is only available for a short window of time (and more specifically, you wouldn't consider it otherwise), then you should ask yourself what is it about limited availability that makes it any different (it refers to whatever it is being compromised).
Sharing files with static URLs is clearly not secure. No matter how long the URL is, it can be easily leaked through search, HTTP referer header and network sniffing software. In fact, when you share a file using a static URL, you actually just published the file for anybody to access without announcing it.
On DriveHQ.com, this is called file publishing. We support file publishing, folder publishing and website publishing. For users who want to share files with strong security, we have a separate file sharing feature. When you share files with other DriveHQ user(s), subgroups and contact groups, we use account-based access control, which offers the strongest protection; when sharing files with non-DriveHQ members, we use a share link, plus a security key, and the recipient user's email address. Unless a file is published and a static URL is explicitly created and used, your files are completely secure.
Totally agreed. I cringed when people send me important work files through Dropbox's public static link.
Moreover, some of these came from Lawyers, Managers and Auditors, sending sensitive work files. It is important to encrypt the files first before uploading to Dropbox. And then share the encrypted file.
However, it is next to impossible to get people to understand how to encrypt files using OpenPGP or other asymmetric file encryption tools. It is difficult to email them securely using GPGMail etc due to cross platform compatibility and key exchange hassle. Some of them are open to try out password-based file encryption tools. But remembering all these passwords are a hassle.
Do anyone know of good and, easy to use public key encryption based tools?