Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox and Box Leaked Shared Private Files Through Google

Posted by Soulskill on from the everything's-secure-until-it-isn't dept.

judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links." Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.

19 of 92 comments (clear)

  1. To the cloud by Anonymous Coward · · Score: 3, Insightful

    ...and this is why we should all be wary of cloud providers.

  2. If it is linked, it is public... by mlts · · Score: 4, Informative

    I've used DB to allow a couple colleagues to download some reports as well as larger amounts of data. IMHO, if a link is generated, even if the link isn't public, someone or something will find it and have the ability to snarf that file.

    The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.

    This way, even if the link appears on Google and Mallory does get a copy, other than size and the public keys used [1], the file is encrypted and useless.

    [1]: One can always put the file in a WinRAR wrapper and send the password via encrypted E-mail as well, further obfuscating the contents.

    1. Re:If it is linked, it is public... by hawguy · · Score: 5, Insightful

      >The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.

      You have a much different definition of "simple" than most people. Few people (who are not techies) find transferring a file via GPG or TrueCrypt to be "simple". Even getting them to download the file from a cloud provider can be a chore "I clicked on the link but nothing happened! What do you mean I need to look in my Downloads folder?"

    2. Re:If it is linked, it is public... by theqmann · · Score: 2

      It seems like the "vulnerability" that the article is talking about only happens when a recipient of the dropbox file link copies that link address into a google search query. If the user just clicks the link like a normal person, there is no problem.

    3. Re:If it is linked, it is public... by blueg3 · · Score: 2

      More simple, though "differently convenient", is to use the Dropbox sharing feature. The one where you share to individual users rather than making a public link. I thought the Dropbox application was pretty clear about the fact that the links were fundamentally public (though I'm in security, so I read things differently). The user-based sharing is less convenient, in that it requires some degree of "registration" with Dropbox to use it, but it has actual access controls.

      If there's a "shared link" to the data, as you say, you should treat it as public. This is classic "security through obscurity" -- the only thing restricting access is that people don't happen to know the URL, but URLs turn out to be quite discoverable.

    4. Re:If it is linked, it is public... by blueg3 · · Score: 3, Informative

      They do that by design. Referer is part of the spec. URLs -- or GET requests in general -- should not contain any private data. It's even CWE-598.

    5. Re:If it is linked, it is public... by amxcoder · · Score: 4, Interesting

      Yes, dropbox used to mention this in the documentation (don't know if they still do), but if you put it in your public folder, it is public. I believe they used to say that it was even accessible without a link, if someone knew (or guessed) the specific folder+filename. One reason why I keep everything inside subject folders (within the public area) and not just plopped into the public folder en-mass, as it makes it harder to guess as you would have to guess the folder-name as well.

      On another note, another think I do when I send a document (like applications or forms with personal data on them), is I upload the file to a custom folder, then send the link to the recipient with the specific instructions that they let me know once they've downloaded it, so I can delete it off dropbox. That way, in most cases, it's only available for a few minutes to maybe a couple hours at most, and if anyone happens to intercept the URL, the chances of the file still being there are slim, as it's deleted as soon as the intended recipient gets it. The only way it can be stolen, is if someone intercepts the email AND tries to download the file faster than the recipient does. While it's not fool proof, it's not a bad idea completely. Surely it's better than attaching the file to an email that gets passed through several servers along the way and copies are kept at each of those points.

      I have to say though, in most cases, when someone sends me a file, I despise when they want to do a "share" rather than send me a download URL. The share semi-permanently links my account to theirs at that point, and takes up space on my allotment of space. Just send me a download link.

    6. Re:If it is linked, it is public... by ko7 · · Score: 3, Insightful

      When dealing with 'users' of the caliber that you describe, it really isn't possible to securely exchange data. Unfortunately, most 'users' can't be trusted not to have the file scraped off of their own box once they've received it. Without a minimal amount of computer knowledge and skills (which appears to be beyond the capabilities of most users), it just isn't possible to guarantee any security at all.

  3. Financial Natural Selection by StormReaver · · Score: 2

    This will work itself out. Those people stupid enough to put important data on other people's servers, where the have no control over who sees them and now, after being warned time and time again that this very thing is inevitable, will find themselves devoid of a bank account eventually. At that point, they will:

    1) Learn their lesson the hard way.

    2) Not have enough money left to pay to host their data on other people's money siphon.

    3) No longer have a need to host anything anywhere.

    1. Re:Financial Natural Selection by ArsenneLupin · · Score: 2

      That's like me leaving out a box of jewelry on my front lawn with a note saying that only Alice should take it and then getting upset when it's gone and Alice tells me that she didn't get it

      It's more like you're hiding the box in a good hiding place ("under the huge rock at the end of Elm's street"), telling Alice about the place. But then Alice naively asks Mallory "do you know how to get to Elm's street, you know the one with the huge rock at the end?", and then everybody acts astonished when Mallory beat Alice to the chase...

  4. Not technically a leak by Todd+Knarr · · Score: 5, Informative

    Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.

    A document isn't private unless it requires at least some kind of authentication to access it, eg. setting up HTTP authentication, or using a system like Google Drive uses where you have to be logged in on your Google account to see documents shared with you.

    1. Re:Not technically a leak by buchner.johannes · · Score: 2

      They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.

      No, you buy AdSense words, and it delivers matching URLs entered into Google -- then you grab the data there. Anyone can set up a data-collection like that.

      There is no conceptual difference between entering a password and a secret URL. It is not security by obscurity, it is security by "something you know". Once someone else knows, it's not secure anymore.

      The difference to passwords entered into other sites or Google is that it may not be immediately clear on what site to use the password, and with which user name.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Not technically a leak by Mask · · Score: 2

      A document can still be shared, via URL and still be private as follows:

      As a dropbox user I want to share a file with you, but you are not a registered user. Dropbox generates and sends you a URL. Once you open the URL from a browser you get a cookie and the URL is no longer valid without this cookie. After this, no one but you can use the URL.

      Disadvantage: you can open it only from a specific browser on a specific machine.
      Solution: If you open the URL from a different browser you get the option to get a new URL (to the original mail-box).

      Not perfectly secure if someone (e.g. NSA) reads you mail, but good enough.

      Sounds quite simple and reasonably secure to me.

      I should have patented this great "invention". Clearly it is not trivial which is "proven" by the fact that dropbox did not implement it.

  5. Re:To the URLbar! by immaterial · · Score: 5, Insightful

    I've always hated the move toward "omnibar" seach field/URL field combos for this very reason. Add in dynamic search suggesting and every damn thing many (if not most) of the people on the planet put in that field gets sent to Google. Anything Google does with the URL bar is solely for their own advantage. No thanks.

  6. Thats not fair to those users by Camael · · Score: 3

    Those people stupid enough to put important data on other people's servers, where the have no control over who sees them and now, after being warned time and time again that this very thing is inevitable, will find themselves devoid of a bank account eventually. At that point, they will:

    1) Learn their lesson the hard way.

    Calling them stupid is not fair, I think. A majority of the older generation, especially those in their 60s or 70s are only just dipping their toes into using things like smartphones, iPads, emails, a little Facebook, Skype and maybe services like Dbox or Box to "keep their pictures". They did not grow up being exposed to personal computers or smart devices. They also grew up in a time when it was more common to trust authority figures. So now, they are bombarded by ads etc from M$, Apple and Google saying their services are safe- why would they not trust them?

    Your comment about "being warned time and time again that this very thing is inevitable" is specious. Certainly, if you are a techie or geek, you would see and take note of these warnings form the tech sites that you visit. The average Joe would not see it, and even if he did would not understand.

    You speak as someone who never had to guide an older family member/relative in how to use smart devices.

  7. Encryption by NitroWolf · · Score: 2

    A more important question is why are you using a cloud provider without using encryption? No one should be storing any sort of sensetive file on a cloud service without first encrypting it. I use Boxcryptor on all of my cloud services... Truecrypt also works well for that sort of thing... anything. Use something to protect yourself instead of giving unfettered access to the cloud provider and their (lack of) security.

    They have little reason to protect you.

  8. Re:To the URLbar! by AK+Marc · · Score: 2

    I've been using (and loving) the omnibar for 15 years. That someone did it wrong isn't a problem with the feature, but the implementation. Opera had it long ago, though possibly not in exactly the same manner as done today.

    --
    Learn to love Alaska
  9. Re:To the URLbar! by lgw · · Score: 2

    Call me crazy, but I like IE (after I found adblock for it). The horror that is IE6 was long, long ago and you can turn off searching from the address bar. When I mis-type a URL (and anyone familiar with my posts knows I have about 1 typo per 5 words), it just sits there waiting for me to correct my typo - it doesn't send anything to anyone beyond the DNS server.
     

    --
    Socialism: a lie told by totalitarians and believed by fools.
  10. My tap leaks every time I turn the knob. by crioca · · Score: 2

    Drop/Box gave these users the option to make these files publicly accessible, they chose to make them publicly accessible, which made them publicly accessible. THE HORROR!

    How is this getting reported? Is this some kind of weird post Heartbleed security reporting bandwagon? /. editors, this is a wood league effort, step it up please.