Hyperlinks flaw in Dropbox and Box documents

News by Doug Drinkwater

Confidential records saved with cloud storage providers Dropbox and Box have been exposed, prompting one industry peer to say that it is 'beggars belief' that companies still rely on free file-sharing applications.

The flaw was discovered by cloud storage competitor Intralinks on Tuesday morning, after the New York-based firm was looking through its Google Analytics web traffic from a Good Adwords report.


The report typically tracks web page views, content and how Google Ads performed and it was on the latter that the firm was able to see the vulnerability affecting third-party links sent out by its competitors.


Like most digital media companies, Intralinks runs ads on Google when people search for the name of their rivals. So for example, a search for Dropbox and Box results in an ad for Intralinks, and vice-versa.


At that point, Intralinks found that the Google ads for Dropbox and Box showed fully-clickable URLs necessary to access these documents.


“During a routine analysis of Google AdWords and Google Analytics data mentioning competitors' names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data," said the company in a blog post.


The issue appears to stem from how the cloud giants share – and fail to authenticate - on web links sent out to third parties. Users of both services often share documents with people who don't use Dropbox and Box, and so - in a bid to make this less painless - the two firms do this by sending out the URL links by email.


Once received, the recipient simply needs to click on the link. There is no other form of authentication.


Richard Anstey, Intralinks CTO for EMEA, said that the company was able to access a huge number of files by clicking on these shared links.


“In one short and entirely innocently designed ad campaign alone, we found that about five percent of hits represented full links to shared files, half of which required no password to download,” he said on the blog post.


“This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was uncovered. We also found evidence that many people are mingling their personal and professional files, potentially presenting privacy and security concerns for organisations."

Since the news broke, Dropbox has temporarily disabled the feature, although Box is yet to respond.

Independent security researcher Graham Cluley said that it was hard to pinpoint the reason for Google Ads picking up these private, highly-sensitive URLs although he suggested that it could be down to a hyperlinks or share link vulnerability.


Cluley noted that the real problem is that there is no other method of authentication.


“The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves. It's clear that for a higher level of security this should be a default way in which the services should work,” he said on his blog.


“As it currently stands, Dropbox and Box share links that were intended for a limited, controlled audience, may be disclosed to third-parties."


All is not lost, though - Cluley says that Box Personal and Business users can restrict access to Shared Lists (although this is not enabled by default), while Dropbox Business account holders can restrict access to Share links. Finally, Cluley says that people using both services should "delete or disable Share Links after they are no longer required. 

Responding to the news, Skyhigh Networks EMEA director Charlie Howe told SCMagazineUK.com that this once again demonstrates the insecurities around the cloud.

"This story serves as further proof, if it were needed, that businesses need to be better aware of their risk profile when it comes to sensitive data and cloud security – as these kinds of files should never be made available to the public,” he said via email.

“If a business is sharing confidential information such as mortgage records, is using cloud services and cannot guarantee that it is protecting this data from unauthorised access, it really doesn't have a grip on its IT security, or the cloud for that matter.

“It's vital that all organisations understand which cloud services have the necessary security and privacy features for business use. For example, Box does in fact have a number of settings that would eliminate this specific vulnerability, as does Dropbox for Business – however, the free version of Dropbox does not. The fact that businesses still use free file-sharing applications when secure, enterprise-ready alternatives exist really beggars belief."


His comments were echoed by Phil Cracknell, head of privacy and security services at Company 85 and part-time CISO at London City Airport and Lebara Mobile.


“Many organisations have little ‘pockets of resistance' or genuinely uneducated users who go ahead and use (these services) to share files for homeworking quite innocently,” he told SCMagazineUK.com.


“I would suggest businesses should expressly forbid it for data which they classify beyond public. I would then say that they should block it and other similar products at the firewall/network choke-point. Finally – educate. Many businesses still have poor or no information security awareness programmes and so they wonder why their users are their biggest threat.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews