Dropbox and Box Leaked Shared Private Files Through Google 92
judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links."
Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.
To the cloud (Score:3, Insightful)
...and this is why we should all be wary of cloud providers.
Re:To the URLbar! (Score:1)
And now we know why UX designers don't want to show the URL in Chrome anymore.
Re:To the URLbar! (Score:5, Insightful)
Re: (Score:1)
I agree and thoroughly hate the whole "omnibar" trend that is happening with the browsers but What alternative are you going to use once Google has successfully rolled out their "omnibar" crap? The Firefox camp is doing everything they can to fuck themselves over while trying to mimic Chrome. They'll roll out the same thing with FF ver 45 (in 6 weeks at the rate they're going). The only difference is that the FF version will be buggier than shit.
IE?
Re: (Score:3)
Call me crazy, but I like IE (after I found adblock for it). The horror that is IE6 was long, long ago and you can turn off searching from the address bar. When I mis-type a URL (and anyone familiar with my posts knows I have about 1 typo per 5 words), it just sits there waiting for me to correct my typo - it doesn't send anything to anyone beyond the DNS server.
Re: (Score:2)
I'm using IE at work, the version where there is no omnibar. I hate it. Every time I want a website I'm used to typing part of it the URL and hitting enter. With IE7 or 8 (not sure) I have to type in the whole URL correctly. Brrr...
Re: (Score:1)
This is a history lookup, not a search result. No need to go outside your own browser, much less your own computer. For this reason I don't use chrome, and I turn off autosuggest on everything that can be turned off. I also don't use Chrome except for testing or to connect to Google. Frequently clearing all cookies helps as well.
Honestly, the omnibar setup may be the final stroke that blacklists all google addresses at my firewall. I've already been considering it and only having 1 machine proxy for google
Re: (Score:2)
Gr8Apes is correct. What you are talking is a part of omnibar functionality but is NOT what TFA is talking about (local v. remote data access)...
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Quite often, when I type a local url without the protocol in front, Chrome assumes I want to google for it. It's very annoying. I'm all for separating the search box from the address box.
Re: (Score:1)
The confusing thing is why this is so popular, anyway. As far as I see it, it is nothing more than Clippy, the next generation.
Maybe people only disliked Clippy because it seemed like a distraction. I suppose the "omnibar" wouldn't be as popular if, every time it got focus, put up a large overlay box with the content: "It looks like you are trying to type a URL".
Alternatively, it means people _would_ have liked Clippy if it just started silently writing the letter for you or if it sent the letter to Micr
If it is linked, it is public... (Score:5, Informative)
I've used DB to allow a couple colleagues to download some reports as well as larger amounts of data. IMHO, if a link is generated, even if the link isn't public, someone or something will find it and have the ability to snarf that file.
The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.
This way, even if the link appears on Google and Mallory does get a copy, other than size and the public keys used [1], the file is encrypted and useless.
[1]: One can always put the file in a WinRAR wrapper and send the password via encrypted E-mail as well, further obfuscating the contents.
Re:If it is linked, it is public... (Score:5, Insightful)
>The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.
You have a much different definition of "simple" than most people. Few people (who are not techies) find transferring a file via GPG or TrueCrypt to be "simple". Even getting them to download the file from a cloud provider can be a chore "I clicked on the link but nothing happened! What do you mean I need to look in my Downloads folder?"
Re: (Score:3, Insightful)
When dealing with 'users' of the caliber that you describe, it really isn't possible to securely exchange data. Unfortunately, most 'users' can't be trusted not to have the file scraped off of their own box once they've received it. Without a minimal amount of computer knowledge and skills (which appears to be beyond the capabilities of most users), it just isn't possible to guarantee any security at all.
not 100% true... (Score:1)
What about the various "dropbox encryptors" out there? SecretSync/Viivo, Boxcryptor, Cloudfogger? They all provide "easy" to use client side encryption for the file sync and share guys (like Box/Dropbox)
Some of them even support Dropbox Sharing (both DBX Shares and Public Links) with back-end key management.
Re: (Score:2)
The actual trick for this specific problem is actually even simpler: Have everyone sign up to dropbox (or GoogleDrive or whatever) and eliminite the need for the lazy "give file to anyone who knows the URL"-"Security". That's what logins are for.
Re: (Score:2)
Yup. I find it an extremely rare occasion where I have to send a Dropbox link out. I only do that for semi-public files anyway, otherwise they can indeed get an encrypted file and good luck with it.
Re: (Score:2)
Re: (Score:2)
It seems like the "vulnerability" that the article is talking about only happens when a recipient of the dropbox file link copies that link address into a google search query. If the user just clicks the link like a normal person, there is no problem.
No, that's only half the problem. The other half is that if your shared document contains a link to, say, cnn.com and someone clicks this link straight from within the document, cnn.com can look at the referrer field and get the "secret" link to your document.
Re: (Score:2)
Re: (Score:2)
If the user just clicks the link like a normal person, there is no problem.
This is also assuming that the user uses a "normal" mail program where you can actually just click on the link. Apparently, this is not necessarily possible in some of the Microsoft offerings.
Also, if the link is too long, the mail program may break it in 2, and not consider the whole thing to be the same link.
Re: (Score:3)
More simple, though "differently convenient", is to use the Dropbox sharing feature. The one where you share to individual users rather than making a public link. I thought the Dropbox application was pretty clear about the fact that the links were fundamentally public (though I'm in security, so I read things differently). The user-based sharing is less convenient, in that it requires some degree of "registration" with Dropbox to use it, but it has actual access controls.
If there's a "shared link" to the d
Re: (Score:2)
somehow the story is made about to be dropbox/box leaking files when the actual story is browsers leaking urls...
Re:If it is linked, it is public... (Score:4, Informative)
They do that by design. Referer is part of the spec. URLs -- or GET requests in general -- should not contain any private data. It's even CWE-598 [mitre.org].
Re: (Score:2)
Actually it seems the real story is that dropbox has now disabled these links.
The link in the summary is full of people who used dropbox to share content with customers who now get a 404 or 403 instead.
It's understandable that they use dropbox this way, e.g new promotional leaflet on garage doors upload it to dropbox and share the link, simple anyone can do it.
Alternative options could be run a website with a cms system, require everyone to learn how to use it, make users create an account so they can acce
Re:If it is linked, it is public... (Score:4, Interesting)
On another note, another think I do when I send a document (like applications or forms with personal data on them), is I upload the file to a custom folder, then send the link to the recipient with the specific instructions that they let me know once they've downloaded it, so I can delete it off dropbox. That way, in most cases, it's only available for a few minutes to maybe a couple hours at most, and if anyone happens to intercept the URL, the chances of the file still being there are slim, as it's deleted as soon as the intended recipient gets it. The only way it can be stolen, is if someone intercepts the email AND tries to download the file faster than the recipient does. While it's not fool proof, it's not a bad idea completely. Surely it's better than attaching the file to an email that gets passed through several servers along the way and copies are kept at each of those points.
I have to say though, in most cases, when someone sends me a file, I despise when they want to do a "share" rather than send me a download URL. The share semi-permanently links my account to theirs at that point, and takes up space on my allotment of space. Just send me a download link.
Re: (Score:2)
I have to say though, in most cases, when someone sends me a file, I despise when they want to do a "share" rather than send me a download URL. The share semi-permanently links my account to theirs at that point, and takes up space on my allotment of space. Just send me a download link.
Must say I share that sentiment when it comes to sharing within Dropbox. When 1 person shares 1 file with, say 5 persons, that 1 file is weighted against all 5 persons quotas, thereby "stealing" alloted space. I find that kinda morally dubious at best, as people pay for their quotas.
Re: (Score:2)
The upside of it is that you can also delete the file, thereby reclaiming all that nice space! :)
Re: (Score:2)
Yes, dropbox used to mention this in the documentation (don't know if they still do), but if you put it in your public folder, it is public. I believe they used to say that it was even accessible without a link, if someone knew (or guessed) the specific folder+filename. One reason why I keep everything inside subject folders (within the public area) and not just plopped into the public folder en-mass, as it makes it harder to guess as you would have to guess the folder-name as well.
On another note, another think I do when I send a document (like applications or forms with personal data on them), is I upload the file to a custom folder, then send the link to the recipient with the specific instructions that they let me know once they've downloaded it, so I can delete it off dropbox. That way, in most cases, it's only available for a few minutes to maybe a couple hours at most, and if anyone happens to intercept the URL, the chances of the file still being there are slim, as it's deleted as soon as the intended recipient gets it. The only way it can be stolen, is if someone intercepts the email AND tries to download the file faster than the recipient does. While it's not fool proof, it's not a bad idea completely. Surely it's better than attaching the file to an email that gets passed through several servers along the way and copies are kept at each of those points.
For actual documents that can be PDFed the password based encryption function (set to aes128 or better, with a long password) is highly effective. You just need a pre-agreed password, or simply give the recipient a phone call and deliver the password verbally. For information that can't be PDFed, sadly there isn't anything as standard as PDF so obfuscation techniques may be the most effective approach.
Re: (Score:2)
IMO... why be "humble" about one's own opinions? Surely we have good, considered reasons for holding them â" so own 'em with pride. If "IMO" seems too brash, I propose "IMCO" (condsidered), or "IMWRO"/"IMRO" ((well-) reasoned).
It's an initialism with more than one meaning. It could also mean "Honest".
IJWTHAOT - I Just Wanted To Have An Opinion Too.
Carry on...
I'm hauling along.
Financial Natural Selection (Score:3)
This will work itself out. Those people stupid enough to put important data on other people's servers, where the have no control over who sees them and now, after being warned time and time again that this very thing is inevitable, will find themselves devoid of a bank account eventually. At that point, they will:
1) Learn their lesson the hard way.
2) Not have enough money left to pay to host their data on other people's money siphon.
3) No longer have a need to host anything anywhere.
Re: (Score:1)
Those people stupid enough to put important data on other people's servers, where the have no control over who sees them
Right, I forgot, any people that aren't fully versed in how technology works are "stupid". For the lay person operating the Dropbox desktop or phone client, it gives the impression that only you, and people you share a link with, can see your document. It isn't well explained that the document can be seen by *anyone* in possession of the URL, not necessarily only those you explicitly gave it to. If we ever want to improve security culture among non-computer-people, the view can't be that they're "stupid".
Re: (Score:3)
That's like me leaving out a box of jewelry on my front lawn with a note saying that only Alice should take it and then getting upset when it's gone and Alice tells me that she didn't get it
It's more like you're hiding the box in a good hiding place ("under the huge rock at the end of Elm's street"), telling Alice about the place. But then Alice naively asks Mallory "do you know how to get to Elm's street, you know the one with the huge rock at the end?", and then everybody acts astonished when Mallory beat Alice to the chase...
Re: (Score:1)
In the real world, sales and PR departments will shriek like banshees on a moonless night if you use the word "limitation" when describing your system.
By the way, do you understand how your city water and sewer systems work? I mean, REALLY understa
Thats not fair to those users (Score:4)
Calling them stupid is not fair, I think. A majority of the older generation, especially those in their 60s or 70s are only just dipping their toes into using things like smartphones, iPads, emails, a little Facebook, Skype and maybe services like Dbox or Box to "keep their pictures". They did not grow up being exposed to personal computers or smart devices. They also grew up in a time when it was more common to trust authority figures. So now, they are bombarded by ads etc from M$, Apple and Google saying their services are safe- why would they not trust them?
Your comment about "being warned time and time again that this very thing is inevitable" is specious. Certainly, if you are a techie or geek, you would see and take note of these warnings form the tech sites that you visit. The average Joe would not see it, and even if he did would not understand.
You speak as someone who never had to guide an older family member/relative in how to use smart devices.
Re: (Score:2)
Calling them stupid is not fair, I think. A majority of the older generation,
Actually, the older generation are not the worst offenders. They are often surprisingly mature as far as risks in technology go.
The worst offenders are actually the facebook generation, who are so accustomed that they need to completely open up their browsers to play a game that they won't give any second thought if a malware site asks them to do the same.
Re: (Score:2)
You speak as someone who never had to guide an older family member/relative in how to use smart devices.
I have guided my fair share of older people through technology, but I wasn't thinking of them when I called people stupid. You're right that it makes a difference, so I shouldn't be so judgemental. I was thinking of the tech types who still think that it's safe putting important data on some stranger's Internet-connected server, unable to see the inevitable consequences of doing so.
A majority of the older generation, especially those in their 60s or 70s....
Thank you for the perspective check, though. I'll keep older people in mind when I'm raging against stupendously bad choices
Re: (Score:2)
There's a difference between important data and confidential data. The data gathered by the LHC at CERN is pretty important, but it'd be hard to classify as "confidential". Unless they really accidentally created a black hole somewhere :)
If you know what you do, you can store everything in Dropbox, no problem. If you don't understand the consequences, steer clear. Pretty much the same advice given by Warren Buffett about shares, I think. It applies to a lot of stuff :)
Google (Score:1)
Google should've put a filter to stop advertisers from seeing searched URLs that are obviously private (e.g. containing unique tokens like session IDs, order IDs, access of otherwise "hidden" files, etc). It's not necessarily good practice to send some of this info as a GET parameter, but the fact is that it's a very common thing.
Most browsers will default the address bar to search if the input isn't a valid URL -- so all typoed URLs have probably been leaked to unknown 3rd parties too.
Re: (Score:2)
Re: (Score:2)
Google should not start indexing data deep within a site just because a user once tried to search for a URL
And it won't, if you know how to use your robots.txt.
Re: (Score:1)
Re: (Score:2)
That's up to the web site creator. Robots.txt is what determines whether a URL is truly private.
Not technically a leak (Score:5, Informative)
Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.
A document isn't private unless it requires at least some kind of authentication to access it, eg. setting up HTTP authentication, or using a system like Google Drive uses where you have to be logged in on your Google account to see documents shared with you.
Re: (Score:2)
Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them.
Yeah, but this is quite useful... I suspect the solution though is to do a redirect from the static access-url to a temporary content-url.
I do, however, still fear that history would leak... Maybe two redirects would do the trick. As the content wouldn't possible to able to see the static access-url.
Sure, authentication is nice... but sending non-published URLs is really nice.
Re: (Score:2)
Re: (Score:1)
Yeah, that's how I saw it too.
Dropbox and Box should be quite embarased by this, it's shamefully lazy design in a world where online security matters.
Re: (Score:2)
It's an extremely common design, and they also implement the other major alternative -- sharing with individuals that use per-user authentication. You can share Dropbox files either way (or both ways at once).
Re: (Score:2)
but the users deliberately wanted to just share an url and not share between specific dropbox users. the real problem is the mechanism that got the urls to be indexed by google. which is entirely due to browser design and affects any url.
Re: (Score:3)
They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.
No, you buy AdSense words, and it delivers matching URLs entered into Google -- then you grab the data there. Anyone can set up a data-collection like that.
There is no conceptual difference between entering a password and a secret URL. It is not security by obscurity, it is security by "something you know". Once someone else knows, it's not secure anymore.
The difference to passwords entered into other sites or Google is that it may not be immediately clear on what site to use the password, and with which us
Re: (Score:2)
A document can still be shared, via URL and still be private as follows:
As a dropbox user I want to share a file with you, but you are not a registered user. Dropbox generates and sends you a URL. Once you open the URL from a browser you get a cookie and the URL is no longer valid without this cookie. After this, no one but you can use the URL.
Disadvantage: you can open it only from a specific browser on a specific machine.
Solution: If you open the URL from a different browser you get the option to get a ne
Re: (Score:1)
Actually, a document isn't private unless you physically own it (hence, no "cloud" anything) and control the access to it (private links, self-destructing links, HTTP sessions, etc). Relying on an external walled garden means that you gave them ownership (either legally, or physically).
As bandwidth increases, owning a link which resolves a piece of information will become increasingly equivalent to owning that information.
Re: (Score:2)
Actually, a document isn't private unless you physically own it (hence, no "cloud" anything) and control the access to it (private links, self-destructing links, HTTP sessions, etc). Relying on an external walled garden means that you gave them ownership (either legally, or physically).
All of which is irrelevant to the vast majority of people, who can reasonably assume that the cloud provider is more interested in their business than in stealing their content.
To most, security here means "the people I want to give this to can see it, other people can't". The fact that some cloud server must have access to it, and that an employee of the company operating the cloud could get in there and see it doesn't matter, since it's reasonable to assume that a reputable cloud service provider has po
Re: (Score:1)
I totally agree. This is the opposite of a leak. This is called "sharing". If you don't want your private documents put on the internet then don't put your private documents on the internet. If you don't want Google to know about your secret links then don't tell Google about your secret links.
I'm having a hard time figuring out how this got onto Slashdot... oh, Soulskill, well that explains it.
Re: (Score:2)
Neither Dropbox nor Box are going to accidentally publish their HTTP server's logs publicly.
It is up to them whether to put up a Robots.txt file to determine this. Both even have one- but it doesn't include shared private files:
Common Stupidity is more like it. (Score:2)
Common sense dictates that *if* you value your money in the slightest, you alone have access and control. Short of this, you've lost the battle before it has begun.
Do you use bank services? Credit cards? Money transfer services? Paypal? Square? Bitcoins?
Ok maybe your argument is that data and money is not the same. Lets restrict the argument to data alone. A policeman asks you for your driving licence. Your bank asks you for your transaction number. The online vendor you are trying to buy goods from asks fo
Dropbox leak? (Score:2)
People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents.
This sounds more like an ID10-T problem to me. If the user wants the links kept quiet they need to make sure not to type them in public places or link them in files they give others.
Re: (Score:2)
In the latter case, they're actually talking about you (party A) sharing a file that contains links. That file is shared to party B, who clicks on one of the links. The target of the link is a website, party C. The URL to the shared file is exposed to party C via the Referer header, which contains the URL to the shared file.
This exposure is non-obvious even to technical people, but it's commonplace. Paths get leaked all over the place, so information in paths absolutely must not be considered secure. For in
Issue is being resolve (Score:1)
Encryption (Score:3)
A more important question is why are you using a cloud provider without using encryption? No one should be storing any sort of sensetive file on a cloud service without first encrypting it. I use Boxcryptor on all of my cloud services... Truecrypt also works well for that sort of thing... anything. Use something to protect yourself instead of giving unfettered access to the cloud provider and their (lack of) security.
They have little reason to protect you.
Re: (Score:2)
Came in here to say exactly this.
Whether or not you trust Joe Sixpack with your files, why the hell do you trust DropBox themselves? Corporate America has proven to us, over and over and over, that they'll sell us out to the highest bidding government in a frickin' heartbeat. Encrypt, encrypt, encrypt!
I use Boxcryptor on all of my cloud services... Truecrypt also works well for that sort of thing.
This is why you don't use external clouds.. (Score:1)
Box and Dropbox are forbidden where I work, as they host data on external servers. Company data should be stored on company servers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Privacy laws prevent sharing of customer data with 3rd parties without explicit permission, and we have explicit permission for billing and collections only, as far as I know. So customer data is out.
So any publicly traded company is likely breaking the law if they use dropbox for anything not cleared for public distribution.
Sleep well, citizens! (Score:1)
Condi is on the job!
My tap leaks every time I turn the knob. (Score:3)
Drop/Box gave these users the option to make these files publicly accessible, they chose to make them publicly accessible, which made them publicly accessible. THE HORROR!
How is this getting reported? Is this some kind of weird post Heartbleed security reporting bandwagon? /. editors, this is a wood league effort, step it up please.
Customer Error (Score:1)
Someone typed a full, unsecured, web link into a search and Google AdWords reported it to the advertiser. I don't believe this would be considered a security issue or flaw with any cloud provider. This is customer error, not securing sensitive information with a password or permissions. If anything, it'd be a flaw with Google AdWords reporting the full search terms, but even that is stretching it.
A Non Issue - FUD From a Competitor (Score:1)
The "cloud" hate is strong here so I suppose I shouldn't be surprised that nobody has mentioned this yet, but this is quite simply a non issue. Box and Dropbox allow you to share files publicly, but it is not the default. While each have had genuine security issues in the past, this is not one. This is simple, common user ignorance. Both services have proper and secure sharing methods to share documents with other users of the service that require authentication on both ends.
What happens is:
- User clicks "S