Slashdot Mirror
Dropbox and Box Leaked Shared Private Files Through Google
judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links."
Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.
...and this is why we should all be wary of cloud providers.
I've used DB to allow a couple colleagues to download some reports as well as larger amounts of data. IMHO, if a link is generated, even if the link isn't public, someone or something will find it and have the ability to snarf that file.
The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.
This way, even if the link appears on Google and Mallory does get a copy, other than size and the public keys used [1], the file is encrypted and useless.
[1]: One can always put the file in a WinRAR wrapper and send the password via encrypted E-mail as well, further obfuscating the contents.
This will work itself out. Those people stupid enough to put important data on other people's servers, where the have no control over who sees them and now, after being warned time and time again that this very thing is inevitable, will find themselves devoid of a bank account eventually. At that point, they will:
1) Learn their lesson the hard way.
2) Not have enough money left to pay to host their data on other people's money siphon.
3) No longer have a need to host anything anywhere.
Any good private torrent site redirects you to a specific page before forwarding you to a 3rd party link. This doesn't mask that you're using the site, but it does mask where you were on the site. I like the security feature, though it will get really annoying if every site starting doing this.
Google should've put a filter to stop advertisers from seeing searched URLs that are obviously private (e.g. containing unique tokens like session IDs, order IDs, access of otherwise "hidden" files, etc). It's not necessarily good practice to send some of this info as a GET parameter, but the fact is that it's a very common thing.
Most browsers will default the address bar to search if the input isn't a valid URL -- so all typoed URLs have probably been leaked to unknown 3rd parties too.
Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.
A document isn't private unless it requires at least some kind of authentication to access it, eg. setting up HTTP authentication, or using a system like Google Drive uses where you have to be logged in on your Google account to see documents shared with you.
And now we know why UX designers don't want to show the URL in Chrome anymore.
Common sense dictates that *if* you value your data in the slightest, you alone have access and control. Short of this, you've lost the battle before it has begun. This is a hard truth in light of all the "cool" services in the so-called "cloud". If you want a cloud backup, do a colo server you own that is encrypted. Have at least four copies of your data. One working copy, an encrypted at-hand copy, and two off-site encryted copies. Perhaps even a fith copy in a safety deposit box that you update twice a year. Short of this, you don't own your data.
Captcha: clouds
I've always hated the move toward "omnibar" seach field/URL field combos for this very reason. Add in dynamic search suggesting and every damn thing many (if not most) of the people on the planet put in that field gets sent to Google. Anything Google does with the URL bar is solely for their own advantage. No thanks.
People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents.
This sounds more like an ID10-T problem to me. If the user wants the links kept quiet they need to make sure not to type them in public places or link them in files they give others.
I agree and thoroughly hate the whole "omnibar" trend that is happening with the browsers but What alternative are you going to use once Google has successfully rolled out their "omnibar" crap? The Firefox camp is doing everything they can to fuck themselves over while trying to mimic Chrome. They'll roll out the same thing with FF ver 45 (in 6 weeks at the rate they're going). The only difference is that the FF version will be buggier than shit.
IE?
Calling them stupid is not fair, I think. A majority of the older generation, especially those in their 60s or 70s are only just dipping their toes into using things like smartphones, iPads, emails, a little Facebook, Skype and maybe services like Dbox or Box to "keep their pictures". They did not grow up being exposed to personal computers or smart devices. They also grew up in a time when it was more common to trust authority figures. So now, they are bombarded by ads etc from M$, Apple and Google saying their services are safe- why would they not trust them?
Your comment about "being warned time and time again that this very thing is inevitable" is specious. Certainly, if you are a techie or geek, you would see and take note of these warnings form the tech sites that you visit. The average Joe would not see it, and even if he did would not understand.
You speak as someone who never had to guide an older family member/relative in how to use smart devices.
Common sense dictates that *if* you value your money in the slightest, you alone have access and control. Short of this, you've lost the battle before it has begun.
Do you use bank services? Credit cards? Money transfer services? Paypal? Square? Bitcoins?
Ok maybe your argument is that data and money is not the same. Lets restrict the argument to data alone. A policeman asks you for your driving licence. Your bank asks you for your transaction number. The online vendor you are trying to buy goods from asks for your credit card number. Are you going to refuse?
It is not remotely possible to make sure that "you alone have access and control" to your own data. At some point, you will have to share it with someone else, and therefore run the risk it may be exposed.
When dropbox wrote blog regarding that issue, it simply means that they did action to fix that issue. So, why making that issue big deal to public.
A more important question is why are you using a cloud provider without using encryption? No one should be storing any sort of sensetive file on a cloud service without first encrypting it. I use Boxcryptor on all of my cloud services... Truecrypt also works well for that sort of thing... anything. Use something to protect yourself instead of giving unfettered access to the cloud provider and their (lack of) security.
They have little reason to protect you.
Box and Dropbox are forbidden where I work, as they host data on external servers. Company data should be stored on company servers.
I've been using (and loving) the omnibar for 15 years. That someone did it wrong isn't a problem with the feature, but the implementation. Opera had it long ago, though possibly not in exactly the same manner as done today.
Learn to love Alaska
This is truly shocking, NOT!
I've always disabled the HTTP referer, because it's a damn spy tool to begin with.
Condi is on the job!
Call me crazy, but I like IE (after I found adblock for it). The horror that is IE6 was long, long ago and you can turn off searching from the address bar. When I mis-type a URL (and anyone familiar with my posts knows I have about 1 typo per 5 words), it just sits there waiting for me to correct my typo - it doesn't send anything to anyone beyond the DNS server.
Socialism: a lie told by totalitarians and believed by fools.
Drop/Box gave these users the option to make these files publicly accessible, they chose to make them publicly accessible, which made them publicly accessible. THE HORROR!
How is this getting reported? Is this some kind of weird post Heartbleed security reporting bandwagon? /. editors, this is a wood league effort, step it up please.
Privacy issues aside, it's also a UI disaster. Previously, I could switch from URL mode to search mode by hitting tab. It became a reflex - create new tab, focus is in URL bar, hit tab, type search term. It took several months to unlearn that bit of muscle memory. And now, rather than a key press that takes a fraction of a second, I have to rely on some flakey NLP code to determine whether I want a search or a URL. I significant amount of the time, it decides that my search term is actually something that wants to be autocompleted to a previous URL that I've visited, so I end up going to a random site. Or it decides that a search term with a dot in it (try searching for command.com) is a domain name, doesn't find it, and then searches a load of similar things and delivers me to a different random page. I've now got into the habit of hitting space at the end of every search, so it now uses exactly the same amount of key strokes for me as the old design in the best case and is less reliable.
I am TheRaven on Soylent News
www.syncthing.net is nice.
Not forgetting that every time you use one of those 'share this link' or 'send link' from an app or website button the third-party link-sharing service adds it to their index - and most also do a test GET request to verify that the link works.
I know of at least one person who goes to their browser's home page (e.g. www.google.com) and types www.facebook.com in the search box to go to facebook....
Dropbox claim to have fixed this problem, but they haven't they’ve made an obscure problem into a far first one for any of their users that rely on distributing stable links to files. All those links are now broken, and recreating the links (which gives a new URL) doesn’t fix the problem of all the emails or other documents that we’ve got out there with links that are now 404. Good move Dropbox break one of the core features of your service just as many of us are thinking of moving because of their appointment of Condoleza Rice (prominent supporter of warrantless wiretaps) to their board. Only think keeping us their was the quality of their service, that’s now been blown.
Quite often, when I type a local url without the protocol in front, Chrome assumes I want to google for it. It's very annoying. I'm all for separating the search box from the address box.
From the blog a user suggested:
"Wow. There was actually a very simple fix !
Change dbx links so that instead of directly serving the document, they generate a short lived token valid only for the client that accessed the link, then redirect to an URL using that token. Only serve documents from URLs containing a valid token.
This way third parties would only get referrer URLs they cannot use."
https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/
I prefer private file-sharing clouds, because you have the full control of your data.
Check out arXshare http://www.arxshare.com">arXshare as an alternative.
It is much more lightweight than others, and does end-to-end encryption.
I'm using IE at work, the version where there is no omnibar. I hate it. Every time I want a website I'm used to typing part of it the URL and hitting enter. With IE7 or 8 (not sure) I have to type in the whole URL correctly. Brrr...
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
This is a history lookup, not a search result. No need to go outside your own browser, much less your own computer. For this reason I don't use chrome, and I turn off autosuggest on everything that can be turned off. I also don't use Chrome except for testing or to connect to Google. Frequently clearing all cookies helps as well.
Honestly, the omnibar setup may be the final stroke that blacklists all google addresses at my firewall. I've already been considering it and only having 1 machine proxy for google on intentional searches only. The price we pay for privacy and security.
The cesspool just got a check and balance.
What about the various "dropbox encryptors" out there? SecretSync/Viivo, Boxcryptor, Cloudfogger? They all provide "easy" to use client side encryption for the file sync and share guys (like Box/Dropbox)
Some of them even support Dropbox Sharing (both DBX Shares and Public Links) with back-end key management.
Someone typed a full, unsecured, web link into a search and Google AdWords reported it to the advertiser. I don't believe this would be considered a security issue or flaw with any cloud provider. This is customer error, not securing sensitive information with a password or permissions. If anything, it'd be a flaw with Google AdWords reporting the full search terms, but even that is stretching it.
The confusing thing is why this is so popular, anyway. As far as I see it, it is nothing more than Clippy, the next generation.
Maybe people only disliked Clippy because it seemed like a distraction. I suppose the "omnibar" wouldn't be as popular if, every time it got focus, put up a large overlay box with the content: "It looks like you are trying to type a URL".
Alternatively, it means people _would_ have liked Clippy if it just started silently writing the letter for you or if it sent the letter to Microsoft so they could finish it for you.
The address bar and any kind of search bar are different things with _very_ different uses. I don't understand why I would ever want to conflate them. It makes no sense from a UI perspective and is an absolute disaster from a privacy perspective.
Gr8Apes is correct. What you are talking is a part of omnibar functionality but is NOT what TFA is talking about (local v. remote data access)...
The "cloud" hate is strong here so I suppose I shouldn't be surprised that nobody has mentioned this yet, but this is quite simply a non issue. Box and Dropbox allow you to share files publicly, but it is not the default. While each have had genuine security issues in the past, this is not one. This is simple, common user ignorance. Both services have proper and secure sharing methods to share documents with other users of the service that require authentication on both ends.
What happens is:
- User clicks "Share dropbox link" from the context menu OR user places file into a pre-configured public folder
- User gives link to recipient
- Recipient enters it into a browser with one of those horrible combo search/url bars
- Link is indexed by the search engine
The important thing to remember is that that link does not exist before the user selects that action. These links also expire, and there is also an "Unshare" explicit action.
Omnibar is keeping me from using Chrome and Opera. I like Firefox's separate URL and search bars and I hope they stay separate.
Everything I've ever linked anyone from dropbox was in a 'public' folder.
I'm okay with everything in there being linked and shared around the net; if I wasn't, I wouldn't have put them there.