A Dropbox vulnerability which allowed unauthorized access of stored files has been addressed by the cloud storage company. Dropbox also acknowledged a second issue which has led to the exposure of user documents. The latter issue is not a vulnerability according to Dropbox, but rather a user error.
That user error seems to be commonly or easily made, as cloud storage competitor IntraLinks came upon “confidential files including tax returns, bank records, mortgage applications, blueprints and business plans – all highly sensitive information, some perhaps sufficient for identity theft and other crimes.”
IntraLinks said in a blog post that it made the discovery of links to live folder contents stored on Dropbox and Box while researching those competitors on Google AdWords and Google Analytics.
Users placed shared links into the Google search field instead of the URL field of their browsers, thereby storing the links as past searches.
Dropbox is referring concerned users to its help center and urging caution in dealing with third-party websites like search engines.
Box makes no mention of the issue on its website. “We haven’t noticed any abuse of Box open links, including by referrer headers, but are exploring ways to limit any exposure,” the company told CSOonline, according to ITNews. “We recommend customers use our broad array of permissions settings to mitigate any potential issues.”
The vulnerability Dropbox has fixed involves a “referer header” disclosing the link to a file to a third-party website which is linked to from within a document.
Dropbox responded by patching the vulnerability for new links and disabling access to old ones, according to a blog post on the company site. The disabled links quickly became a source of irritation to some users, according to comments following the blog post. Among those comments are questions about why users did not receive emailed notice of links being disabled, and several mentions of competitor services.
Dropbox found itself in an undesired spotlight over its DMCA takedown policy in March, just weeks after an outage prevented file sharing and syncing for 30 minutes.