Sync & Share Services Security “Bug” Exposed

in Cloud Computing


By Kevin Tea

Users of online sync and share services such as Dropbox and Box may be leaving themselves open to security issues according to a rival company Intralinks.  Apparently the problem centres around the sharing function that generated a public link. As a precaution, Dropbox has disabled access to links that have been previously shared. It said it had also implemented a patch to prevent shared links from being exposed from now on.

The Dropbox blog states:

“For background, whenever you click on a link in any browser, the site you’re going to learns where you came from by something called a referer header. The referer header was designed to enable websites to better understand traffic sources. This is standard practice implemented across all browsers.

“Dropbox users can share links to any file or folder in their Dropbox. Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
  • At that point, the referer header discloses the original shared link to the third-party website.
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

“While we’re unaware of any abuse of this vulnerability, for your safety we’ve taken the following steps to make sure this vulnerability can’t be exploited:

  • For previously shared links to such documents, we’ve disabled access entirely until further notice. We’re working to restore links that aren’t susceptible to this vulnerability over the next few days.
  • In the meantime, as a workaround, you can re-create any shared links that have been turned off.
  • For all shared links created going forward, we’ve patched the vulnerability.
  • Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected.

Intralink’s chief technology officer for Europe, Middle East and Africa Richard Anstey said: “Most internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the internet address bar – it’s an easy mistake to make.

“However, what they don’t realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an ‘adword’ that closely matches any part of that link.”

Previous post:

Next post: