Cloud-based file syncing and sharing service Dropbox has taken steps to fix a security vulnerability, but only after media attention to the issue.
Dropbox competitor Intralinks discovered the security vulnerability when examining its Google Analytics web traffic data and Google Adwords reports.
Intralinks found that the web traffic data included links to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans, according to a blog post.
The vulnerability is linked to web page referer headers that were designed to enable websites to better understand traffic sources and are part of standard practice implemented across all browsers.
Whenever a user clicks a link in any browser, the site they are visiting learns where they have come from through the referer header.
Dropbox users can share links to any file or folder in their Dropbox. Files shared via links are only accessible to people who have the link.
However, shared links to documents can be inadvertently disclosed to unintended recipients when a shared link to a third-party website is disclosed by the referer header.
Dropbox has now disabled access to links that have been previously shared and implemented a patch to prevent shared links from being exposed from now on.
Intralinks tips to protect data
- Check your sync and share service to see if it supports privacy settings
- Set your account to ‘private’ using basic security settings
- If you have already shared sensitive files in a public folder, delete them and re-upload them in a new, private folder
- Get into the habit of deleting files from your sync and share application once you no longer need them
- Keep business files and personal files in separate accounts
But the company only did so after media enquiries about the leaks discovered by Intralinks, even though Intralinks informed Dropbox of the vulnerability four months ago, according to independent security consultant Graham Cluley.
“Intralinks tells me that it privately informed Dropbox that data was being leaked via the shared link vulnerability in late November 2013,” he wrote in a blog post.
At the time, Dropbox responded to the warning by saying: “We don’t believe this is a vulnerability. If someone accidentally shares a private Dropbox link it can be disabled at any time from the Dropbox website, on the Links tab.”
Although Dropbox has now responded to one of the vulnerabilities highlighted by Intralinks, the company claims it is unaware of any abuse of the vulnerability, despite Intralinks proving that sensitive documents were exposed.
Dropbox has dismissed a second vulnerability highlighted by Intralinks relating to Google Adwords. The company said: “We’re aware of a second issue that’s been reported about shared links.
“This involves a user entering a shared link into a search engine and the search engine passing that link on to ad partners.
“This is well known and we don’t consider it a vulnerability. We urge everyone to be careful about providing shared links to third parties like search engines.”
Intralinks notes that it gained access to files because users of file sharing applications often are not taking simple precautions to safeguard their data.
“When used this way, all file-sharing apps are potentially vulnerable,” the company said.
Intralinks also said that when using file-sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data.
“The bottom line is that it is really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured,” the company said.
Dropbox announces support for universal 2nd factor security keys