Dropbox Users Warned About Accidental File Sharing Leaks
Published on: 6th May 2014
People who use file storage and sharing services such as Dropbox are being warned that they might be accidentally leaking their files onto the wider internet.
As a lot of people use the services to share confidential documents, the accidental leaks could have serious consequences.
The problems stemmed from the way users can generate a public link to their files, which could sometimes be accidentally used to share private files. It was less a technical fault than a problem with unexpected user behaviour.
Dropbox said that it is disabling the public link facility while it works on a new more secure version.
In a blog post, DropBox apologised for the inconvenience while it works on the new service.
Other file sharing services are understood to have similar issues and can be expected to deploy their own "user behaviour" fixes shortly.
The vulnerability stems from an issue if a user uploads a private document, that contains a weblink to 3rd-party website. When that link is clicked, the website also get the location of the dropbox document in its own server logs as the referrer.
The website could then reverse that back to access the otherwise private document.
The key will be to develop a way of sharing links that is both convenient, but not so convenient that it is too easy to accidentally share a file the user wants to keep private.
The most likely model would be to cloak referrer identites when a link is clicked within the DropBox environment, although that adds more layers of complexity to the underlying service.
On the web: DropBox