Warning over unintentional file leak from storage sites

[RainfallWithin]

 

Quotes from BBC News source: http://www.bbc.com/news/technology-27285786

 

People using file storage services, such as Dropbox and Box, are being warned that they are at risk of inadvertently leaking their own files.

 

Intralinks - which is a competitor - said it found sensitive files, such as mortgage records.

 

The problem centred on the use of the services' sharing function that generated a public link.

 

As a precaution, Dropbox has disabled access to links that have been previously shared.

 

It said it had also implemented a patch to prevent shared links from being exposed from now on.

 

"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments," the company said in a blog post.

 

"We're working to restore links that aren't susceptible to this vulnerability over the next few days."

 

Box has not responded to the BBC's request for a comment.

 

Security researcher Graham Cluley said identity thieves could use the method to "scoop up" data.

 

"I think these services need to be more upfront with warnings," he told the BBC.

 

However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.

 

Dropbox, Box and most other cloud hosting services often give users the option of creating a shareable web link for their files.

 

It means users are able to simply send a web address - made up of a string of letters and numbers - for someone to directly download a file without needing to log in.

 

Because of the complexity of the link, it is very difficult to guess - meaning that while the link is technically public, it is unlikely anyone would be able to access it by chance.

 

However, Intralinks discovered that the links were being exposed in two ways not previously considered.

 

Firstly, it discovered that shared links were often appearing in websites' referral data.

 

Many websites look at referral data when analysing their traffic to get an insight into how visitors got to their site.

 

Intralinks found that if a link to a website is included in a file shared on Dropbox, and subsequently clicked within the web viewer, the website owner would see the shared link in its referral data - and therefore be able to access the file.

 

Dropbox said its patch has now fixed the problem.

 

Furthermore, the company had been running a Google advertising campaign, and had paid to have an advert for Intralinks appear in Google's search results whenever someone searched for "Dropbox" or "Box".

 

Companies that use Google's search advertising service are sent an anonymised breakdown of what users had searched for in order to find their advertising.

 

Intralinks found that many people would put the entire shared link into a Google search box, and therefore Intralinks would subsequently see those links in the breakdown data from Google.

 

While copying and pasting a download link into Google's search engine might appear to be odd behaviour, Intralinks said "a few hundred documents" were exposed to them in this way.

 

Dropbox's patch has not addressed this particular problem, Mr Cluley said.

 

Intralink's chief technology officer for Europe, Middle East and Africa Richard Anstey said: "Most internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the internet address bar - it's an easy mistake to make.

 

"However, what they don't realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an 'adword' that closely matches any part of that link."

 

 

Personal Thoughts

 

I have always only uploaded files that I would not mind being shared publicly due to the frequency of this kind of problem. However, I understand that some people do not have many other choices to go with and that it would also be difficult for them to realise that their files are publicly available.

[SAV1OUR]

holy wall but this is why i dont tend to trust most file transferring stuff like this, call me old but i still use a usb or portable drive. inb4 people uuuhhhh usbs can get viruses heres all the cares i give [ ]   

[Sidiox]

Well that is why I only keep non important stuff on db or encrypted stuff.

[AlexGoesHigh]

well this explain why it took me 10 minutes to download 700KB file, yesterday

[JAKEBAB]

And this is why I don't use the cloud lol

[NateGSR117]

That why I have my own cloud :-) but yea I only old picture in Dropbox

[MangoJuiceStain]

Lol I only use dropbox for random shit I don't want locally.

[Tigerbomb8]

*cough* BTSync *cough*....

[WanderingFool]

And that is why it is always good to require at the minimum a password when sharing a file

[MatheusSanzo]

And this is why I don't use the cloud lol

  

That why I have my own cloud :-) but yea I only old picture in Dropbox

Thats why i like the cloud to butt firefox extension...

[wpirobotbuilder]

And this is why I don't use the cloud lol

That's not really fair, since it wasn't directly Dropbox's fault. It's good they put the patch in though.

[Misanthrope]

So Condoleezza Ricce goes to town on Dropbox and not a few weeks later this happens, sure "unintentional" Now watch the totally and completely unpredictable discovery that the NSA got a hold of this files.

[Kamina]

The clouds are a dangerous place.

[JAKEBAB]

That's not really fair, since it wasn't directly Dropbox's fault. It's good they put the patch in though.

It's not about who's fault it is it's about the fact that this stuff happens and what if I had very sensitive info and it got leaked. (Not saying I would ever put something like that in the cloud but your average joe doesn't know the dangers and will do it like these peoples mortgage or whatever it was got leaked)

[pixeldensity]

So Condoleezza Ricce goes to town on Dropbox and not a few weeks later this happens, sure "unintentional" Now watch the totally and completely unpredictable discovery that the NSA got a hold of this files.

well  since I only use dropbox to transfer school essays from my comp to college comps. So if the NSA wants to see and proof read my english papers then by all means go ahead.

 

But in all seriousness I am against invasion of privacy.