Dropbox fixes link-sharing data-leaking flaw
Posted on 06 May 2014.
Popular file hosting service Dropbox has announced that it has patched a vulnerability that would make privately shared links accessible to those for whom they weren't intended.


The flaw has been discovered and written about by inter-enterprise content management and collaboration software provider Intralinks, whose "routine analysis of Google AdWords and Google Analytics data mentioning competitorsí names (Dropbox and Box)" revealed "fully clickable URLs" that led them to sensitive documents such as "tax returns, bank records, mortgage applications, blueprints and business plans."

The flaw works in two distinct ways. First, if by mistake, a user enters the private link in a search engine instead of the URL bar (a mistake that happens often), than the link can occasionally pop-up in search results for search terms linked to the service or competing services.

Secondly - and this is the part of the vulnerability Dropbox fixed - users who click on hyperlinks that point to third-party websites and are included in a document shared via private link inadvertently share the link with the third-party website by way of referrer headers.

"Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document," the company noted.

They also added that they have no reports about this vulnerability having been misused, but it seems to me that this means nothing. Even if a third-party accessed the link, harvested the information and used it in a way that hurt the user, how would the user know that it happened?

Well, the good news is that this can't happen again - the company has disabled previously shared links and have patched the vulnerability, so future ones will be safe.

Regarding the issue of users entering a shared link into a search engine and the search engine passing that link on to ad partners, the company commented that it's well known problem but that they donít consider it a vulnerability.

"We urge everyone to be careful about providing shared links to third parties like search engines," they simply added.

Box has yet to comment on or react to Intralinks' findings.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //