Earlier this year, it was discovered that Dropbox users had been unwittingly leaking sensitive information, such as their tax returns and mortgage applications because of the way the file-syncing service handled so-called “Shared Links.”
Like many cloud data storage services, Dropbox provides users with a way to share access to files with others. When a Dropbox user creates a shareable link, anyone with that link can access the data, even without a Dropbox account.
So far, so simple.
But what if that link fell into the wrong hands? Whether maliciously, or by accident?
Enterprise file-sharing (and Dropbox competitor) Intralinks discovered the issue affecting its rival’s users by accident when it ran a Google Adwords campaign to drive traffic to its website.
To its astonishment, Intralinks found in its analytics data that it was receiving the URLs required to access documents stored on Dropbox, including some containing clearly sensitive information.
Furthermore, it was discovered that if a document stored on Dropbox contains a clickable link to a third-party site, and a user clicked on that link, the (supposedly private) Dropbox Share Link to that document was included in the referring URL sent to the third-party site.
Sadly, Dropbox only began to take action against the problem when the privacy issue was picked up by the media – months after it had been privately disclosed to the company.
Thankfully, Dropbox hasn’t been entirely resting on its laurels and this week announced new features for its business users that should help provide an additional level of security.
In a blog post published on Tuesday, Dropbox unveiled three new features:
- View-only permissions for shared folders
- Passwords for shared links
- Expirations for shared links
The features, which are only available to Dropbox for Business users, should help improve security a little for those organizations whose staff use the service for collaboration.
Firstly, setting a password for shared links is clearly a good thing.
Although, of course, you should be careful to choose a password that is hard to guess and difficult to crack. If you fall into the common habit of using dumb passwords like “password”, “password1234”, “banana” or your favorite sports team, then you will only have yourself to blame if your data later becomes compromised.
Naturally, then there is the challenge of how to communicate the password securely to the person that you wish to access the file, but that’s a blog post for another day.
Personally, I would love to see Dropbox for Business go further than what they have done here by giving administrators the ability to set policies, such as the forcing of password use on all shared links and even checking that the password being chosen is a sufficiently strong one.
Going beyond passwords, Dropbox for Business now allows users to set an expiration date for their shared links.
This was one of the problems highlighted by the privacy vulnerability uncovered earlier this year. Users had created share links for files and later forgot about them. This meant that files continued to be accessible months and even years after there was any legitimate use for the shared link.
When the vulnerability was discovered, Dropbox scrabbled to disable shared links on at-risk files and it became evident that many users had shared files in the past that they had long forgotten about.
If users can get into the habit of setting an expiry date for shared links (perhaps a couple of days, rather than the default of eternity) then they can reduce the chances of their data falling into the wrong hands.
Overall, I’m pleased to see Dropbox introducing greater protection – and I only hope that its customers will make use of them – but it still feels like the service has a long way to go before it can offer a solution that enterprises will truly feel comfortable with.
It seems that Dropbox was designed as a consumer service that has then had bits bolted on to create a product capable of being sold to the enterprise. But, as a result, it comes across very much as a solution that was not built from the ground up with the needs of businesses, and the privacy and security they demand, in mind.
It’s hard to ignore that Dropbox has only introduced the new functionality for its business users. It seems that once again the person in the street is being given a substandard service and is not benefiting from the additional security and privacy offered to big businesses.
I wonder, what is the rationale behind *not* allowing home users to set expiry dates on shared links, for instance?
If you use the free version of Dropbox, my recommendation is that you should still avoid using the Share Link facility, as you could find sensitive information is being far too easily leaked to a third-party.
Whether you are a business or home user of Dropbox, please encrypt everything that you upload to the service (perhaps using tools like BoxCryptor, CloudFogger and SafeMonk) *before* you send it to Dropbox, and remember to think very carefully about how you share links with others.
- 4.5 Million Patients Put At Risk After Community Health Systems Hacked
- Passwords: Are We Focused on the Right Issues?
- Beware: A Factory Reset Doesn’t Actually Delete Your Android’s Data
- Dropbox Leaking Sensitive Data on Google
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].