Dropbox has acknowledged and disabled a vulnerable shared links feature that exposed documents stored by the service to third parties.
Shared links are a collaboration feature that allows user, especially in a business environment, to share and edit documents.
Dropbox rival Intralinks reported the vulnerability in November and said Dropbox responded that it did not believe the problem was a vulnerability.
Dropbox, however, today said it has taken steps to address the issue including patching the vulnerability protecting shared links going forward, and disabling access to previously shared links.
“We’re working to restore links that aren’t susceptible to this vulnerability over the next few days,” Dropbox said in a statement. “In the meantime, as a workaround, you can re-create any shared links that have been turned off.”
Dropbox said it was not aware of any users losing data. Users could be exploited by sharing a link to a document that contains a hyperlink to a third-party website. The recipient clicks on the link and the referrer header in the user’s browser discloses the original shared link to the third party website, Dropbox said, giving someone at the third party access to the link to the shared document.
“We realize that many of your workflows depend on shared links, and we apologize for the inconvenience,” Dropbox said. “We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments.”
Dropbox also acknowledged a second scenario where a shared link could be leaked. This one involves users entering a shared link into a search engine which could pass that link onto an ad partner, Dropbox said.
“This is well known and we don’t consider it a vulnerability,” Dropbox said. “We urge everyone to be careful about providing shared links to third parties like search engines.”
Intralinks said that the privacy problem could apply to other consumer-based file sync and share applications.
The company said it discovered the problems with Dropbox during a competitive analysis using Google AdWords and Google Analytics.
“We inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data,” said Intralinks chief security officer John Landy. “Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans – all highly sensitive information, some perhaps sufficient for identity theft and other crimes.”
Intralinks said it recommends against using free file-sharing applications for business use.
“This was not as unusual as it may sound, and we came across numerous files over the course of a fairly short Google AdWords campaign. We believe it would be relatively easy for others to repeat our results,” Landy said.
Intralinks recommends checking that such services support privacy settings and allow users to control who has access to documents. Accounts should be set to private; most are public by default. Also, files that have already been shared in a public folder, or files that aren’t needed any longer, should be deleted.
“When using file sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. In addition, many mingle personal data along with confidential company data, with no security in place,” Landy said. “The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured.”