Dropbox is peeking at your files

Security researchers discovered that Dropbox opens up certain file types. Dropbox explained the behavior is a function of a feature, but insidious or not it has compliance and data security implications.

Dropbox is making headlines again, and not in a good way. Security researchers used a honeypot approach to discover that Dropbox opens some files once they're uploaded. 

The Western North Carolina Infosec Community (WNC Infosec) used HoneyDocs--a Web-based service that "buzzes home" when a document is opened to alert you to possible compromise or data leaks. The researchers set out specifically to determine whether or not cloud storage services--like Dropbox--might be manipulating data in ways the user is unaware of. 

According to Dropbox, this is normal behavior, and nothing to be concerned about. Dropbox has automated backend processing to generate previews of certain file types. In a nutshell, the suspicious file activity is part of a feature that allows Dropbox users to view Word, PowerPoint, PDF, and text files directly from a Web browser without having to have a compatible program installed to open them.

That's convenient, and it's all well and good, but it doesn't really change the equation much in terms of data privacy. For businesses--with employees using personal Dropbox accounts to store and transfer sensitive company data--it may also be a security compliance issue. 

As it has done with past questions of privacy and data security, Dropbox assures users that only a small handful of Dropbox employees are authorized to access customer data. According to Dropbox policy, "We have strict policy and technical access controls that prohibit employee access except in these rare circumstances."

There is nothing concerning going on per se--at least for individuals. However, regardless of Dropbox' good intentions the behavior of opening files to generate Web-based previews may not sit well with some compliance directives. For example, SOX (Sarbanes-Oxley), PCI-DSS (Payment Card Industry Data Security Standards), and HIPAA (Health Insurance Portability and Accountability Act) all have requirements in place that govern access to sensitive data. The fact that an unauthorized third-party is accessing that sensitive data is a problem. 

Ultimately, though, it comes back to the fact that Dropbox should not be used for business. Period. It is a consumer-oriented service, providing consumer-grade protection. Businesses should be using a more robust cloud data service like Box, or at the very least use Dropbox for Business, which provides more oversight and control of data for IT admins. 


Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)