Dropbox told about vulnerability in November 2013, only fixed it when the media showed interest


DropboxEarlier today I reported how users of file sync and share services like Dropbox and Box.com could have their sensitive information exposed to Google advertisers.

Dropbox was contacted yesterday by the media, investigating the claims being made by Intralinks - a file sharing and collaboration service for enterprises - after it revealed that it had stumbled across individuals’ mortgage applications and income tax returns that should surely have remained private on Dropbox.

Dropbox responded last night with a blog post saying it was addressing the vulnerability and that it was “unaware of any abuse of this vulnerability”.

Well, clearly - despite Dropbox’s protestations - users’s data *was* exposed, otherwise files like this and this wouldn’t have fallen into the hands of unauthorised parties.

Documents leaked via Dropbox

But what worries me most is this.

Intralinks tells me that it privately informed Dropbox that data was being leaked via the shared link vulnerability in late November 2013. That’s over five months ago.

At the time, this was the response that Dropbox offered:

Unsatisfactory response from Dropbox, November 2013

Thanks for writing in to us.
We don’t believe that this is a vulnerability. If someone accidentally shares a private Dropbox link it can be disabled at any time from the Dropbox website, on the Links tab.

For months, nothing happened.

In short, Dropbox dropped the ball.

It was only when Intralinks decided internet users needed to be warned of the potential risks, and got in touch with me and BBC News, that Dropbox stirred into action.

Here is the blog post that Dropbox published last night:

Dropbox blog

Even then, Dropbox are only responding to the hyperlink disclosure vulnerability, *not* the Google Adwords-related issue I describe in my blog post.

I think it’s a pretty sad state of affairs that months can pass, and the BBC has to be called in, before a service like Dropbox takes seriously a security concern impacting the privacy of its users.

PS. Meanwhile, has anybody heard any comment at all from Box.com who were affected by similar issues? I mean, at least Dropbox said and did *something*.

(Although in fairness to Box.com, at least their free version offers the option of more secure sharing than Dropbox’s free edition allows.)

Further reading:

Tags: , , , , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , , , , ,

5 Responses

  1. Andy

    May 6, 2014 at 7:29 pm #

    Dropbox is a consumer service that’s largely free. Users of free services are showing less and less interest in privacy and security, of course those same users are also loading up their quotas with corporate and confidential data. So, can you blame dropbox for not really caring about what its users care so little about? To the average dropbox user, this data leak is complicated and difficult to understand and their in their minds its something only an elite hacker could pull off.

    • Andris Lūsis in reply to Andy.

      May 9, 2014 at 3:15 am #

      There is nothing to ‘pull off’.

      IF you paste a secret thing in the google search, OF COURSE this gets logged.
      Its the same ‘vulnerability’ when someone sends an email to the wrong person.

      Regarding the Referrer thing - I have seen links to much worse places in the Referer - private internal business systems and stuff. Some of which actually can be opened too. For many years now.

      This is just some competitor of Dropbox screaming that the sky is falling about things that people who do care about this have known for 15 years.

  2. Simon

    May 6, 2014 at 10:48 pm #

    The ‘Google Adwords-related issue’ isn’t a vulnerability in Dropbox; it’s the user’s fault for publicly sharing a private link.

    • Graham Cluley in reply to Simon.

      May 6, 2014 at 11:16 pm #

      Other services require users to authenticate themselves before accessing shared links. Why not Dropbox?

      • Simon in reply to Graham Cluley.

        May 6, 2014 at 11:33 pm #

        That would make sharing more complicated for a service which appears to be designed as a quick way of sharing material rather than a secure method of transferring documents. Dropbox could make this more prominent on their website rather than hiding the warning at the bottom of the page in the “For our advanced users” section. https://www.dropbox.com/help/167/en

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.