The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves. If a user, attempting to access the document that has been shared with them, puts the Share link into a search engine rather than their browser’s URL box (an easy finger fumble to make) then the advertising server receives the Share link as part of the referring URL, if the user clicks on an ad. You don’t even have to be a registered user of the service to access a shared link. For instance, when a user creates a shareable link on Dropbox or Box, anyone with that link can access the data. Many cloud data storage services provide users with a method to share links with others. Here’s how I described the vulnerability at the time:
Intralinks found when running Google Adwords campaigns that it was receiving links to tax returns, financial records, mortgage applications and business plans stored on Dropbox. The issue was stumbled across by rival file-sharing service Intralinks, which focuses on the enterprise market. Readers with good memories will recall a worrying privacy hole was found in Dropbox after publicly accessible links to private personal information stored on the service leaked out to unauthorised users.
0 kommentar(er)
