Home / / Dropbox users accidentally leak private files

Dropbox users accidentally leak private files

Warning from storage sites over users unintentionally leaking own files online

Dropbox users accidentally leak private files
According to the IBT, the security flaw, was discovered by Intralinks when it was analysing web traffic to its own website.

Users of cloud storage services such as Drop Box and Box are inadvertently leaking tax returns, mortgage applications, bank information and personal photos online.

According to the International Business Times, the revelation has come from cloud storage company Intralinks, which has discovered that a flaw in the sharing system employed by Dropbox and Box means that links shared with specific people are easily accessible by third-parties.

Drop Box has said in a blog post that it has taken steps to address the issue and is unaware of any abuse due to the vulnerability. The post also said that users don't need to take any further action.

"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments."

It admitted that "shared links to documents can be inadvertently disclosed to unintended recipients" in the following scenario: A user shares a link to a document that contains a hyperlink to a third-party website; the user, or an authorised recipient of the link, clicks on a hyperlink in the document; at that point, the referrer header discloses the original shared link to the third-party website or someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

According to the BBC, security researcher Graham Cluley said identity thieves could use the method to "scoop up" data.

"I think these services need to be more upfront with warnings," he said.

However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.

Continues on next page>>

Intralink's chief technology officer for Europe, Middle East and Africa Richard Anstey said: "Most Internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the Internet address bar - it's an easy mistake to make.

"However, what they don't realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an adword that closely matches any part of that link."

According to the IBT, the security flaw, was discovered by Intralinks when it was analysing Web traffic to its own website.

"During a routine analysis of Google AdWords and Google Analytics data mentioning competitors' names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data," the company said on a blog post.

Anstey said the company was able to access a number large number of files from these shared links: "In one case, corporate information including a business plan was uncovered. We also found evidence that many people are mingling their personal and professional files, potentially presenting privacy and security concerns for organisations."

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.