Dropbox and Box Leaked Shared Private Files Through Google

judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links." Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.

Not technically a leak

[Todd+Knarr]

Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.

A document isn't private unless it requires at least some kind of authentication to access it, eg. setting up HTTP authentication, or using a system like Google Drive uses where you have to be logged in on your Google account to see documents shared with you.