Dropbox fixes flaw that exposed user documents

Vulnerability affected documents that had embedded links and were shared without access controls

Dropbox has patched a vulnerability that made it possible for unauthorized people to view documents that had been shared through the online file-sharing service.

Competitor IntraLinks, which claimed the vulnerability also affected rival Box, notified Dropbox last November of the problem. Box said it has not seen any abuse of subscribers' shared links.

[Box, Dropbox, or drop both?]

IntraLinks also reported that links to Dropbox users' documents were appearing during routine analysis of Google AdWords and Google Analytics data. IntraLinks found the links while doing research on its rival.

The links showed up on Google's tools for advertisers because of Dropbox user error. Rather than place a shared link into a browser's URL field, users apparently dropped it into the Google search engine.

The mistake was found to be costly, since IntraLinks claimed to have found highly sensitive documents, such as tax returns, bank records, mortgage applications, blueprints and business plans.

Because the information is shared as a result of user error, Dropbox does not consider the exposed data the result of a flaw and has directed users to its help center.

"This is well known and we don't consider it a vulnerability," Aditya Agarwal, vice president of engineering at Drobox, said on the company's blog. "We urge everyone to be careful about providing shared links to third parties like search engines."

The patched vulnerability involved the "referrer header" used in browsers. When a person clicks on a link, the header goes to the destination site, so it can track traffic sources. This is a standard operation on the Web.

The problem for Dropbox users started when shared documents had embedded links. If the recipient clicked on the link, then the referrer header sent to the site contained the URL to the shared document.

"Someone with access to the header, such as the webmaster of the third-party website, could then access the link to the shared document," Agarwal said.

Dropbox has disabled access to all affected documents. Users can go back and re-create a shared link, since the problem has been fixed for all documents shared as of Monday.

Dropbox users, including customers of the paid Dropbox for Business service, were not affected, if they had restricted access to specific recipients. By default, access is open to everyone with access to the link.

[Dropbox is peeking at your files]

Box takes a different approach. When users generate a shared link, they see a message that explains what the permissions are for the content and how access can be further controlled.

"We haven't noticed any abuse of Box open links, including by referrer headers, but are exploring ways to limit any exposure," the company said in a statement sent to CSOonline Tuesday. "We recommend customers use our broad array of permissions settings to mitigate any potential issues."

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)