Dropbox and Box users are leaking private data through Google Analytics and Adwords, a competitor has revealed
Dropbox has moved to fix a weakness that allows users of its service, along with those of its arch-rival Box, to accidentally to leak private data to other web users. However security experts have warned that the danger remains.
When users share a file on Dropbox or similar services they send a link intended for the reader alone, but there are two ways in which these links can be leaked to third parties, allowing them to access the files without any restriction.
The vulnerability was uncovered by Dropbox’s competitor Intralinks, which stumbled across the problem and found links to documents including bank statements and mortgage applications during routing use of Google’s Adwords and Analytics services. It says that traffic arriving at a website contains details of the link which sent it there. This can then be used by services such as Google Analytics and provides ways for shared Dropbox and Box documents to be leaked to other people.
Open the Dropbox!
“During a routine analysis of Google AdWords and Google Analytics data mentioning competitors’ names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data,” said Intralinks.
Security expert Graham Cluley provides a more detailed explanation on his blog, detailing two ways users can leak a shared document URL to other people.
The first is via Google Adwords, and was noticed by Intralinks. “If a user, attempting to access the document that has been shared with them, puts the Share link into a search engine rather than their browser’s URL box (an easy finger fumble to make),” says Cluley, “then the advertising server receives the Share link as part of the referring URL.”
Intralinks bought an Adwords campaign around Dropbox and Box and when a user carried out a search including either of those words, they saw an advert for Intralinks in their browser. At the same time, Intralinks got details of the search terms as part of the referring URL. The aforementioned finger-fumble sent the direct Dropbox or Box link to Intralinks, giving the company access to a lot of personal files.
The other way data can leak is if users include links within shared documents. Shared document can include links to third party sites. If users click from the document, those sites get the referring URL (the shared document) in their traffic statistics.
Fixing the problem
The best way to avoid the problem is to not include any clickable links within any shared documents, and to restrict access to the document to only the people you are sharing it with.
Box allows users to restrict access, but the option is not activated by default, and Intralinks’ experience show it is often not used. People using the free version of Dropbox can’t restrict access to links – they have to pay for the Business version.
Dropbox claims to have fixed the problem in a blog post, but Cluley says the job is not complete: “Dropbox has published a blog post overnight about the issue, saying it has taken action against the hyperlink disclosure vulnerability,” he said. “In other words, Dropbox has fixed one of the problems, but not the one which revealed the private documents to Intralinks.”
Update from Box
Box argues that the problem may not be very serious and says its permissions powers should protect users: “We haven’t noticed any abuse of Box open links, including by referrer headers, but are exploring ways to limit any exposure,” the company said in response to a Techweek inquiry.
“We recommend customers use our broad array of permissions settings to mitigate any potential issues. Secure content sharing is core to Box, and we’ve invested a lot of energy in our security model around shared links,” the company continued. “When a user generates an open shared link, we display a warning message to help them understand the permissions for that content. We also present several options to help users manage access to their content (for example, links can be password protected or assigned expiration dates). In addition, company admins can ensure organisation-wide secure sharing by setting shared link defaults to company-only or collaborator-only (people in the same shared folder).”
Permissions on Box’s shared links system are explained here.
What do you know about Internet security? Find out with our quiz!