On Monday, Dropbox confirmed a security vulnerability with Dropbox files shared via hyperlink. In the confirmation, they described the vulnerability as follows:
- The user uploads a file to Dropbox that contains a link to a 3rd party website.
- The user sends a link to the Dropbox file to a recipient, who uses the link to access the file.
- The recipient clicks on the link in the file to view the 3rd party website.
- The 3rd party website owner checks their access logs and sees the Dropbox link as the “referrer” to their site – and can then click on the Dropbox link and gain access to the file.
Dropbox reacted by disabling access to all previously existing file links, examining and re-enabling access for links that were not vulnerable, and patching the vulnerability in future links. Users were told that they could re-create links, but the effect was that pre-existing links suddenly broke. Website links, presentations, cloud based documents – either needed to be recreated, or re-enabled if they were judged not vulnerable. (Which of course begs the question of how do they judge whether or not the Dropbox content is vulnerable without examining it?)
Dropbox could have handled this better. By disabling links across the board with little notice, users were left to clean up the mess rather than being given the opportunity to fix the problem for themselves, if they even considered it a problem. It was yet another demonstration that Cloud services are not yet 100% foolproof or reliable, and are ultimately subject to the business needs of the vendor.
Dropbox updated the post the next day to confirm a second vulnerability in which the user inadvertently pastes the URL for the Dropbox file into a search engine:
- The user uploads a file to Dropbox and sends the link to a recipient.
- The recipient (inadvertently) pastes the link into a browser search engine rather than the browser URL field.
- The search engine makes a best guess for keywords in the URL and displays ads based on those keywords.
- The owners of the displayed ads check the search terms for which their ads were displayed, and see the Dropbox URL.
Dropbox’s reaction to this was:
This is well known and we don’t consider it a vulnerability. We urge everyone to be careful about providing shared links to third parties like search engines
Yes – I agree – while the first vulnerability was up to Dropbox to fix, this second vulnerability is the user’s fault. Many users have become accustomed to using the search engine as an address bar without knowing or caring that anything they paste there is subject to becoming part of data analyzed by the search engine. The convenience of having one place to type what you want (url or search term) becomes habit, and habit takes precedence over conscious thought. That becomes a security vulnerability waiting to happen when you use the internet to access confidential data.
Should Dropbox make their links utterly secure and idiot-proof? In the first case, that’s probably overkill for most Dropbox items, and in the second case it’s not possible, because there will always be ways to use things that were never intended or imagined. Dropbox and similar Cloud services provide a convenient way to make your data accessible over multiple devices. Cloud services can provide encryption and access control, and the vendors are responsible for making sure that those services are not vulnerable, and patching any Heartbleed type vulnerabilities that are detected.
What is done with security after it has been established is up to the user. Users control who they give access to, and allowing access to confidential data by creating and distributing an unsecured URL to that data is a security failure on the part of the user, not the vendor.