Dropbox Leaks User Data on Google Through Shared Links Updated

Cloud company promises that any shared links going forward are free of the vulnerability

By on May 6th, 2014 08:28 GMT

Piece of advice to you all. Limit your Dropbox link sharing for a while, as apparently your stuff can turn up on Google. That’s the key takeaway from an alarming post by security specialist Graham Cluley, who confirmed with Dropbox that they have a serious data leak problem.

Cluley’s post is insightful, as always, but it’s written in the language of techies. Regular users are better off reading what Dropbox has to say on its blog. In a nutshell, the leak is real and happening, and Dropbox is already taking radical steps to address the situation. Some of your previously-shared links may no longer be functional as of now, just so you know.

“We wanted to let you know about a web vulnerability that impacted shared links to files containing hyperlinks,” the Dropbox post begins. “We’ve taken steps to address this issue and you don’t need to take any further action.”

The cloud company begins to explain how linking to Dropbox files can lead to those particular files getting leaked on the web because of the referrer header, or HTTP referrer, which identifies the address of the web page that linked to the resource being requested, allowing the new web page to see where the request originated. Dropbox explains:

“For background, whenever you click on a link in any browser, the site you’re going to learns where you came from by something called a referer header. The referer header was designed to enable websites to better understand traffic sources. This is standard practice implemented across all browsers.”

“Dropbox users can share links to any file or folder in their Dropbox,” the cloud company continues. “Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients,” Dropbox warns.

A particular set of factors and situations must converge to make it all possible, but it’s nevertheless very easy to get there. If you’ve engaged in such practices, Dropbox says it has made the links inoperable starting May 5, in order to protect your data.

Users can re-create any shared links that have been turned off, and any links created starting now are free of this vulnerability. Business users have the option to restrict shared link access to people in the Dropbox for Business team. According to the company, using those access controls made it impossible for data to be breached.

“We realize that many of your workflows depend on shared links, and we apologize for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments,” Dropbox concludes.

Oh, and according to Cluley, Box users are affected as well.

Update: researcher Graham Cluley tells us "Dropbox says it has fixed one of the issues, but not the one which actually resulted in Income Tax returns and mortgage applications falling into unauthorised hands. So far they've been silent about that."

1 Comment