Dropbox users accidentally leak private files
Warning from storage sites over users unintentionally leaking own files online
Users of cloud storage services such as Drop Box and Box are inadvertently leaking tax returns, mortgage applications, bank information and personal photos online.
According to the International Business Times, the revelation has come from cloud storage company Intralinks, which has discovered that a flaw in the sharing system employed by Dropbox and Box means that links shared with specific people are easily accessible by third-parties.
Drop Box has said in a blog post that it has taken steps to address the issue and is unaware of any abuse due to the vulnerability. The post also said that users don't need to take any further action.
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments."
It admitted that "shared links to documents can be inadvertently disclosed to unintended recipients" in the following scenario: A user shares a link to a document that contains a hyperlink to a third-party website; the user, or an authorised recipient of the link, clicks on a hyperlink in the document; at that point, the referrer header discloses the original shared link to the third-party website or someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
According to the BBC, security researcher Graham Cluley said identity thieves could use the method to "scoop up" data.
"I think these services need to be more upfront with warnings," he said.
However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.
Continues on next page>>
Intralink's chief technology officer for Europe, Middle East and Africa Richard Anstey said: "Most Internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the Internet address bar - it's an easy mistake to make.
"However, what they don't realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an adword that closely matches any part of that link."
According to the IBT, the security flaw, was discovered by Intralinks when it was analysing Web traffic to its own website.
"During a routine analysis of Google AdWords and Google Analytics data mentioning competitors' names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data," the company said on a blog post.
Anstey said the company was able to access a number large number of files from these shared links: "In one case, corporate information including a business plan was uncovered. We also found evidence that many people are mingling their personal and professional files, potentially presenting privacy and security concerns for organisations."