Dropbox has started disabling access to previously created shared links after discovering that some Dropbox users sensitive files such as, tax returns, bank records, etc, were begin exposed through Google AdWords campaigns.
The vulnerability, which is also reported present on Box, impacts shared files that contain share links. “Dropbox users can share links to any file or folder in their Dropbox,” the company noted yesterday when confirming the vulnerability:
Dropbox users can share links to any file or folder in their Dropbox. Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
- At that point, the referrer header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
Dropbox noted that they are not aware of the vulnerability begin exploited or any users loosing data from it.
The Dropbox vulnerability was discovered by competitor, IntraLinks, while purchasing ad space for competitors keywords inside Google AdWords. IntraLinks stated that “During a routine analysis of Google AdWords and Google Analytics data mentioning competitors’ names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data. Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans – all highly sensitive information, some perhaps sufficient for identity theft and other crimes.”
Documents or shared links can be crawled by advertising servers when users paste shared links into search engines rather than their browsers URL bar, and click on an ad instead of the link they pasted. The advertising agency from there can see the hyperlink as a keyword, and note someone clicked on an ad from such keyword. Dropbox noted that this is well known, and doesn’t consider it a vulnerability.
That type of backend design makes sharing links faster and easier for users, in short, less problems may arise. While Dropbox did patch all previously shared links, they noted that the vulnerability will be patched “for all shared links created going forward.”
“Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected,” the company blog stated.
Intralinks urges users to not use free cloud storage for businesses or highly sensitive documents.