Warning: Dropbox and Box File Sharing Security Bug

facebook-dropbox

Do you use Dropbox or Box to backup your most important files and share them with your co-workers or friends? If so, you might just be sharing them with somebody else you’ve never even met.

Intralinks discovers sharelink disclosure vulnerability in Dropbox and Box

A recent report from Intralinks – a cloud storage service provider and a direct competitor of both Dropbox and Box – details how the company found a sharelink disclosure vulnerability in both Dropbox.com and Box.com.

It works like this:

When creating Google Ad campaigns, web competitors utilize one another’s company names as keywords. So, for example, if you the consumer were interested in purchasing cloud storage and sharing services from Dropbox and went online and Googled “Dropbox,” you would be presented with a direct link to Dropbox.com, alongside advertising links from its competitors, Box and Intralinks. If for whatever reason one of those competitor’s ad links caught your eye and you clicked on it, that competitor would be able to look at its Google Ad campaign metrics and see that the keyword “Dropbox” led you to their website.

This is all and well;  HOWEVER, when analyzing their latest Google Ad campaign metrics, Intralinks noticed something quite peculiar. In addition to competitor company name keywords and other common search phrases, they found direct sharelinks to sensitive documents hosted on Dropbox.com and Box.com acting as referral search terms to their website.

When they pasted these sharelinks into their web browser’s navigation bar, Intralinks employees were granted direct access to individual Dropbox/Box user files. According to a statement from Intralinks’ CTO, Richard Anstey, files included “several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was [also] uncovered.”

How did this happen?

Intralinks’ discovery of the sharelink disclosure vulnerability present in Dropbox and Box was somewhat of an accident. When users of the affected websites want to share their files, they give their co-workers or friends a sharelink. Typically, sharelinks are just clicked on, but sometimes they are copied and pasted into the web browser search bar. In rare cases, users may also accidentally copy and paste the sharelink into the Google search bar (and generate competitor ads). This third scenario is how Intralinks discovered the Dropbox/Box sharelink disclosure vulnerability.

Why is this a problem?

The sharelinks Intralinks has found in its Google Ad metrics granted Intralinks employees direct access to Dropbox/Box user files, no authentication – or Dropbox/Box account – required. That meant that any Intralinks employee could access Dropbox/Box files through the sharelink disclosure vulnerability. That also means that any company with a Google Ad campaign could potentially do the same.

Hyperlink disclosure also an issue

Independent security blogger Graham Cluely has also weighed in on this issue, and he is quick to point out that it extends to hyperlinks embedded in documents stored on Dropbox as well.

That is to say, if there is a link to any website within a document you have stored on Dropbox and someone clicks on that link while viewing the document in its previewer, they will navigate to that website – and the website’s server will receive your sharelink as the referring URL. Someone with access to that server could then access your sharelink and view your file.

This is perhaps a bigger problem than the sharelink disclosure issue because it could provide direct file access to the owner of any website. Additionally, including a hyperlink in a shared document is an extremely common practice among online collaborators.

How Can I Protect My Information?

The issue at hand is that Dropbox/Box sharelinks are not secure. This is not breaking news, as both service providers warn their users that anyone with a sharelink can access the file that it links to. That Intralinks, a direct competitor to both Dropbox and Box, has made this disclosure also must be taken into consideration. The astute reader may indeed wonder: Is this a real threat? Or is it simply competitor bashing?

Regardless of the disclosure’s intent, the threat is real:

  • Free Dropbox accounts do not have security settings to regulate sharelinks. That means anyone with a sharelink can access that file.
  • Free and paid-business Box accounts do have security settings to regulate sharelinks, but they are not enabled by default.

For sufficient protection, we recommend:

  • Upgrading to a Dropbox business account and enabling its sharelink security settings
  • Enabling sharelink security settings in your free or paid Box account
  • Using caution when distributing sharelinks and deleting them when you no longer need them
  • Keeping personal and financial file sharing separate, as most personal accounts do not include robust-enough security settings
  • Considering alternative backup and file sharing solutions

As of today, Dropbox has published a blog post which states that they have mitigated their infrastructure’s hyperlink disclosure vulnerability. The post does not mention remedying the sharelink disclosure vulnerability detailed by Intralink, and a similar statement has not yet been issued by Box.

Have a Great (Breach-Free) Day!