The flaw has been discovered and written about by inter-enterprise content management and collaboration software provider Intralinks, whose "routine analysis of Google AdWords and Google Analytics data mentioning competitors’ names (Dropbox and Box)" revealed "fully clickable URLs" that led them to sensitive documents such as "tax returns, bank records, mortgage applications, blueprints and business plans."
The flaw works in two distinct ways. First, if by mistake, a user enters the private link in a search engine instead of the URL bar (a mistake that happens often), than the link can occasionally pop-up in search results for search terms linked to the service or competing services.
Secondly - and this is the part of the vulnerability Dropbox fixed - users who click on hyperlinks that point to third-party websites and are included in a document shared via private link inadvertently share the link with the third-party website by way of referrer headers.
"Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document," the company noted.
They also added that they have no reports about this vulnerability having been misused, but it seems to me that this means nothing. Even if a third-party accessed the link, harvested the information and used it in a way that hurt the user, how would the user know that it happened?
Well, the good news is that this can't happen again - the company has disabled previously shared links and have patched the vulnerability, so future ones will be safe.
Regarding the issue of users entering a shared link into a search engine and the search engine passing that link on to ad partners, the company commented that it's well known problem but that they don’t consider it a vulnerability.
"We urge everyone to be careful about providing shared links to third parties like search engines," they simply added.
Box has yet to comment on or react to Intralinks' findings.