Consumer oriented cloud file sharing sites are the bane of CSOs. While they make the shipping of large documents for collaboration easier than using email, unless tailored for business their relatively poor security is a threat to the enterprise, allowing the opportunity for files to end up in the wrong hands.
Which is why proactive IT departments regularly exhort staff to make sure to use the business versions of such sites. Here’s another reason: Dropbox still hasn’t plugged a hole that allows shareable links to a document to be inadvertently spread to unintended recipients.
As outlined by security blogger Graham Cluley, Dropbox (and competitor Box) don’t require users accessing a shared link to authenticate themselves. If a user puts the Share link into a search engine rather than their browser’s URL box a Google Adwords server receives the Share link as part of the referring URL if the user clicks on an ad. The link is then broadcast.
Competitor Intralinks told Dropbox about the problem last November but apparently nothing was done. Yesterday Intralinks published a new blog in which it said that while analyzing one of its Google Adword campaigns it came across a shareable link that went to an individual’s U.S. income tax return.
“To be clear,” Intralink stressed, “we gained access to files because users of file sharing applications often don’t take steps to safeguard their data. Most file sharing apps explain how shared links can be used. Nevertheless, many users clearly don’t know or perhaps don’t understand that even if they don’t actively share a link to a file, an unsecured link could still be uncovered and their files could be accessed. With estimates of well over 400 million users of consumer file sharing apps, this is a significant issue.”
Whether this is a Dropbox or a user problem is an interesting question. Cluley says Dropbox doesn’t believe the issue is a vulnerability — at least in the free version. Dropbox for Business has a security setting to restrict access to Share Links. CSOs need to point out this vulnerability and what users can do about it on any file sharing site.
Separately, Dropbox announced an expanded bug bounty program in conjunction with HackerOne to encourage researchers responsibly disclose software bugs. For now the program covers Dropbox, Carousel, and Mailbox iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client as well as the Dropbox Core SDK. There may also be rewards for novel or particularly interesting bugs in other Dropbox applications.
The minimum bounty for qualifying bugs is US$216.The maximum bounty that DropBox has paid out under its existing program was US$4,913.