![]() Intralinks Field CTO Daren Glenister had this to say on the Intralinks blog about the problem: Here’s an example of one such document that has recently leaked out due to the share link disclosure vulnerability, a tax return: Intralinks yesterday published a new article, saying that it was still (almost 18 months after first making the issue known to Dropbox) receiving links to information that Dropbox users clearly did not intend to fall into unauthorised hands. Sadly, Dropbox said it did not believe the issue was a vulnerability, and six months later, with Intralinks still alarmed at the information it was able to access, Dropbox had done nothing about it.īut ignoring a problem doesn’t make it go away. ![]() Intralinks responsibly disclosed the vulnerability privately to Dropbox in November 2013. It’s clear that for a higher level of security this should be a default way in which the services should work.Īs it currently stands, Dropbox and Box share links that were intended for a limited, controlled audience may be disclosed to third-parties. The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves. If a user, attempting to access the document that has been shared with them, puts the Share link into a search engine rather than their browser’s URL box (an easy finger fumble to make) then the advertising server receives the Share link as part of the referring URL, if the user clicks on an ad. You don’t even have to be a registered user of the service to access a shared link. For instance, when a user creates a shareable link on Dropbox or Box, anyone with that link can access the data. Many cloud data storage services provide users with a method to share links with others. ![]() Here’s how I described the vulnerability at the time: Intralinks found when running Google Adwords campaigns that it was receiving links to tax returns, financial records, mortgage applications and business plans stored on Dropbox. The issue was stumbled across by rival file-sharing service Intralinks, which focuses on the enterprise market. ![]() Readers with good memories will recall a worrying privacy hole was found in Dropbox after publicly accessible links to private personal information stored on the service leaked out to unauthorised users. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |