Earlier last month, Dropbox has disabled access to previously created shared links to certain kinds of documents. This occured after there was a discovery of some user’s sensitive documents, including bank records, being exposed and found on Google AdWords. Apparently, Box is also affected by this.
How did this happen?
Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
- At that point, the referrer header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
In fact, documents can also get scooped up by advertising servers when users paste shared links into a search engine box rather than a browser’s URL bar, and then click on an ad.
Whilst again, I am not sure why users will do that, when you do that, yes, this apparently happens.
So what now?
This, as a stop gap measure, means that if you have any old links, you will need to go and enable these links again, manually if you need it, but it makes these files vulnerable again.
The best bet to ensure the files are safe is simply to change your Shared Link security settings to restrict shared links to collaborators only.
So what is the main problem?
As a classical example of security through obscurity, the fact that the URL itself is not capable of being revoked, already proves that it is a fundamentally insecure sharing mechanism. Even as “unguessable” the URL may get, the truth that this URL will work for multiple people, makes it even more insecure.
However, as a bottom line, do not share any of your personal files online! Some of you may believe that security has been provided when it hasn’t. Should you store your private details on your mobile then? Well, if I was using an Apple I would not.