The Latest in IT Security

Dropbox Storage Service Patches Privacy Issue

06
May
2014

Cloud storage provider Dropbox said it has fixed a vulnerability that could expose user content to third-parties.

According to the company, the vulnerability impacted shared links to files containing hyperlinks. Users are permitted toshare links to any file or folder in their Dropbox,Dropbox’s Aditya Agarwal, explainedin a blog post. Files shared via links are accessible only to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.

The user, or an authorized recipient of the link, clicks on a hyperlink in the document.

At that point, the referer header discloses the original shared link to the third-party website.

Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

When services do not require authentication by default, users can all too easily begin to leak information,opined security researcher Graham Cluley.

“In summary,” he blogged, “shared links that were intended for a limited, controlled audience, containing sensitive information may be disclosed to third-parties.”

Dropbox said it is not aware of the issue being exploited, and has disabled access entirely for previously shared links. It is working to restore links that aren’t susceptible to the vulnerability during the next few days. In the meantime, customers can recreate any shared links that have been turned off, according to Agarwal.

“For all shared links created going forward, we’ve patched the vulnerability,” Agarwal blogged. “Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected.”

Tweet

Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Dropbox Storage Service Patches Privacy IssueSymantec Unveils Roadmap of Security Integrations and Managed Services Cost of Data Breaches Rises Globally: ReportData Breaches Can Lead to Customer Drop-Off, Survey Finds Microsoft Patches IE Critical Vulnerability as Attacks Circulate

sponsored links

Tags: NEWS INDUSTRY

Cloud Security

Comments are closed.

Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments