Skip to content ↓ | Skip to navigation ↓

Cloud-based file storage service Dropbox has confirmed the existence of a vulnerability that could allow sensitive files associated with shared links can be exposed and turn up in search engine results on Google, according to a statement from the company:

“Dropbox users can share links to any file or folder in their Dropbox. Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:”

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document
  • At that point, the referer header discloses the original shared link to the third-party website
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document

The vulnerability was discovered by a competitor when doing keyword searches and they found links to exposed documents stored in Dropbox, including tax returns, financial records, mortgage applications and business plans.

“When Intralinks looked at the data from Google Adwords campaigns that mentioned its competitors and Dropbox, they found something which shocked them: the fully clickable URLs required to access documents stored on the services, including some containing clearly sensitive information,” wrote Graham Cluley.

Cluley goes on to explain that the data is being exposed in two ways: Via a share link disclosure vulnerability and by way of a hyperlink disclosure vulnerability. The first method of exposure happens if someone puts the share link into a search engine rather than into a browser’s URL box, and the second if a user clicks a link to a third-party site from Dropbox’s web-based preview.

Dropbox said it has taken the following steps to prevent the vulnerability from being exploited:

  • For previously shared links to such documents, we’ve disabled access entirely until further notice. We’re working to restore links that aren’t susceptible to this vulnerability over the next few days
  • In the meantime, as a workaround, you can re-create any shared links that have been turned off
  • For all shared links created going forward, we’ve patched the vulnerability
  • Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected

Read More Here…