Dropbox has patched a flaw in how it treats links to users' shared items, which had allowed sensitive documents to be leaked online.
Dropbox creates a private URL for users to share a document or other file, but this can leak via the HTTP "referer header", which lets web servers track where incoming traffic has come from.
For example, if the document in question contains a link itself, and someone clicks it, the document's private URL will be exposed to the third-party website via the header.
That URL can then be used by unauthorised parties to access the file. Dropbox has already fixed the flaw to keep it from happening in the future, and has disabled previously shared links to protect existing files.
"We’re working to restore links that aren’t susceptible to this vulnerability over the next few days," Dropbox said in a blog post. "In the meantime, as a workaround, you can re-create any shared links that have been turned off."
The flaw was also flagged up in rival service Box, but it's yet to issue a statement. Security analyst Graham Cluley has said that Box users can restrict shared links in their security settings, and has advised them to delete shared links once they're no longer needed.
"The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves," said Cluley in a blog post. "It’s clear that for a higher level of security this should be a default way in which the services should work."
Cluley stressed that the flaw wasn't theoretical. "It's happening right now - exposing tax returns, financial records, mortgage applications and business plans," he said.
Insecure discovery
The problem was uncovered by rival storage firm Intralinks. While working on a Google AdWords campaign to attract business from Dropbox and Box, it noticed that Google's suggested search terms included direct links to users' shared documents.
Intralinks suggested in a blog post that this was because people were entering the URLs of shared items into the search bar of their browser - hardly an uncommon practice - causing them to be recognised as searches by Adwords.
"To be clear, we gained access to files because users of file sharing applications often aren’t taking simple precautions to safeguard their data," the company said in its blog post. "When used this way, all file sharing apps are potentially vulnerable."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
