Dropbox disables old shared links after tax returns end up on Google

Dropbox has disabled access to previously created shared links to certain kinds of documents after the discovery that some users' sensitive files—including tax returns and bank records—were exposed through Google AdWords campaigns.

The flaw, which is reportedly also present on Box, impacts shared files that contain hyperlinks. "Dropbox users can share links to any file or folder in their Dropbox," the company noted yesterday while confirming the vulnerability:

Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

• A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
• The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
• At that point, the referrer header discloses the original shared link to the third-party website.
• Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

Dropbox said it's not aware of this vulnerability being exploited.

The flaw was discovered by file-sharing company IntraLinks, which was purchasing ads that would appear on Google when people search for the names of its competitors. IntraLinks said that "During a routine analysis of Google AdWords and Google Analytics data mentioning competitors’ names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data. Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans—all highly sensitive information, some perhaps sufficient for identity theft and other crimes."

Box told Ars that it will be issuing a statement on the weakness soon.

Documents can also get scooped up by advertising servers when users paste shared links into a search engine box rather than a browser's URL bar, and then click on an ad. "The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves," security expert Graham Cluley wrote on his blog.

That's a design choice to make sharing links easier, of course. In addition to disabling access to previously shared links, Dropbox said that it has patched the vulnerability "for all shared links created going forward."

"Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected," the company said.

Cluley recommended that Box users change their Shared Link security settings to restrict shared links to collaborators only.

This isn't the first time shared links have come under security scrutiny. In 2011, researchers found that it was possible to access shared files by guessing the URLs.

UPDATE: Box provided a statement, but did not comment on whether the vulnerability affects Box content or whether the company is deploying a patch or any other fix.

Box's statement reads as follows: "Secure content sharing is core to Box, and we've invested a lot of energy in our security model and permissions around shared links. Because every user and customer have different sharing needs, we provide the broadest array of options to make it easy to share content with settings that are as open or as restrictive as needed. When a user generates an open shared link, we display a warning message to help them understand the permissions for that content. We also present several options to help users manage access to their content (for example, links can be password protected or assigned expiration dates). In addition, company admins can ensure organization-wide secure sharing by setting shared link defaults to company-only or collaborator-only (people in the same shared folder)."

After a followup question, a Box spokesperson added, "We haven't noticed any abuse of Box open links, including by referrer headers, but are exploring ways to limit any exposure. We recommend customers use our broad array of permissions settings to mitigate any potential issues."