Skip to main content

Dropbox, Box Drip-Drop Personal Info via Serious Flaw

Do you store files on cloud-storage providers Dropbox or Box? Do you make those files shareable via their special URLs? If so, search engines might be scooping up those allegedly private URLs  and making the files accessible via analysis-focused Web services such as Google Analytics or Google AdWords. 

Cloud-storage company Intralinks discovered this apparent security flaw while scoping out the search-engine traffic of its rivals Dropbox and Box. Intralinks employees noticed that Google AdWords' analysis of Dropbox and Box included clickable links to very sensitive files, including tax returns, business plans and mortgage applications.

MORE: Best Antivirus Software 2014

So what's going on here? Services like Dropbox and Box let users make documents shareable via URL. That means anyone with the specific URL of a document is able to view that document. This is useful for sharing documents and collaborating on projects. 

Shared URLs should not be indexed by a search engine, yet somehow  Google Analytics and Google AdWords are getting hold of these links. That's how Intralinks, via a simple and totally legal analysis of Dropbox and Box's Web traffic, was able to see these URLs along with the rest of the data that Google AdWords had gathered.

How is this happening? Intralinks suggests that search engines might be acquiring these links because some people copy and paste the URLs of shared Dropbox or Box files into a search engine instead of the browser's URL field. 

Tech-savvy readers might think this a silly mistake to make, but on some browsers, a built-in search engine field is located right next to the URL field, and it'd be easy to copy-paste a URL into one rather than the other.

Security expert Graham Cluley suggests another possibility for how search engines are scooping up these supposedly private URLs: If a Dropbox or Box document contains a link to a third-party site, which a user clicks on from within Dropbox or Box, the referring URL sent to that third-party site will include the URL of the supposedly private Dropbox or Box document.

Dropbox has addressed this latter vulnerability, the company announced in a blog post last night (May 5). However, Cluley points out that Dropbox's solution does not address the issue of people entering shared links into search engines, which is how the private links in Intralinks' Google AdWords campaign reached them in the first place.

This doesn't mean all Dropbox and Box documents are susceptible -- just ones that have been set to be shareable via URL. Users know that  anyone with the URL to that document can view it. Still, these URLs shouldn't be leaking out to search engines, and from there, to anyone with a related Google AdWords campaign.

Dropbox does let users restrict access to Share Links, but this feature is only available in the paid "Business" version of the service, not the free version that most people use for their personal documents.

Box allows users to restrict access to shared links on the personal and the business versions of its service, but this feature is not enabled by default. Box users should make sure they check "Restrict shared links to collaborators only" when sharing documents.

UPDATE: Intralinks told Cluley that it had informed Dropbox of this vulnerability last November, but Dropbox did nothing, claiming that it wasn't an issue since link sharing can be disabled. It wasn't until Intralinks finally contacted Cluley and other media outlets that Dropbox took action.

"In short, Dropbox dropped the ball," Cluley wrote on his blog.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.