Warning over unintentional file leak from storage sites Skip to main content

Warning over unintentional file leak from storage sites

Warning over unintentional file leak from storage sites
By Dave Lee Technology reporter, BBC News
Dropbox artwork  
Dropbox has moved to fix the issue

Related Stories

People using file storage services, such as Dropbox and Box, are being warned that they are at risk of inadvertently leaking their own files.

Intralinks - which is a competitor - said it found sensitive files, such as mortgage records.
The problem centred on the use of the services' sharing function that generated a public link.

As a precaution, Dropbox has disabled access to links that have been previously shared.
It said it had also implemented a patch to prevent shared links from being exposed from now on.

"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments," the company said in a blog post.

"We're working to restore links that aren't susceptible to this vulnerability over the next few days."

Box has not responded to the BBC's request for a comment.

Security researcher Graham Cluley said identity thieves could use the method to "scoop up" data.

"I think these services need to be more upfront with warnings," he told the BBC.
However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.

Referral data
Mr Cluley has outlined suggestions on his blog for how users can restrict access to the public files.

Both websites offer ways to tighten security on shared links, but doing so limits flexibility.
"This is the eternal battle sites like this face," Mr Cluley added. "It's security versus functionality."
Box headquarters in London  
Box is another highly successful file storage service
Dropbox, Box and most other cloud hosting services often give users the option of creating a shareable web link for their files.

It means users are able to simply send a web address - made up of a string of letters and numbers - for someone to directly download a file without needing to log in.

Because of the complexity of the link, it is very difficult to guess - meaning that while the link is technically public, it is unlikely anyone would be able to access it by chance.

However, Intralinks discovered that the links were being exposed in two ways not previously considered.

Firstly, it discovered that shared links were often appearing in websites' referral data.
Many websites look at referral data when analysing their traffic to get an insight into how visitors got to their site.

Intralinks found that if a link to a website is included in a file shared on Dropbox, and subsequently clicked within the web viewer, the website owner would see the shared link in its referral data - and therefore be able to access the file.

Dropbox said its patch has now fixed the problem.

Google ads Furthermore, the company had been running a Google advertising campaign, and had paid to have an advert for Intralinks appear in Google's search results whenever someone searched for "Dropbox" or "Box".

Companies that use Google's search advertising service are sent an anonymised breakdown of what users had searched for in order to find their advertising.

Intralinks found that many people would put the entire shared link into a Google search box, and therefore Intralinks would subsequently see those links in the breakdown data from Google.

While copying and pasting a download link into Google's search engine might appear to be odd behaviour, Intralinks said "a few hundred documents" were exposed to them in this way.

Dropbox's patch has not addressed this particular problem, Mr Cluley said.

Intralink's chief technology officer for Europe, Middle East and Africa Richard Anstey said: "Most internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the internet address bar - it's an easy mistake to make.

"However, what they don't realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an 'adword' that closely matches any part of that link."

http://www.bbc.com/news/technology-27285786
Labels:

Comments

Post a Comment

Popular posts from this blog

Chronology of the Press in Burma

1836 – 1846 * During this period the first English-language newspaper was launched under British-ruled Tenasserim, southern  Burma . The first ethnic Karen-language and Burmese-language newspapers also appear in this period.     March 3, 1836 —The first English-language newspaper,  The Maulmain Chronicle , appears in the city of Moulmein in British-ruled Tenasserim. The paper, first published by a British official named E.A. Blundell, continued up until the 1950s. September 1842 —Tavoy’s  Hsa-tu-gaw  (the  Morning Star ), a monthly publication in the Karen-language of  Sgaw ,  is established by the Baptist mission. It is the first ethnic language newspaper. Circulation reached about three hundred until its publication ceased in 1849. January 1843 —The Baptist mission publishes a monthly newspaper, the Christian  Dhamma  Thadinsa  (the  Religious Herald ), in Moulmein. Supposedly the first Burmese-language newspaper, it continued up until the first year of the second Angl
Post a Comment
Read more

ARSA claims ambush on Myanmar security forces

Arakan Rohingya Salvation Army (ARSA) on Sunday claimed responsibility for an ambush on Myanmar security forces that left several wounded in northern Rakhine state, the first attack in weeks in a region gutted by violence. Rakhine was plunged into turmoil last August, when a series of ARSA raids prompted a military backlash so brutal the UN says it likely amounts to ethnic cleansing of the Muslim Rohingya minority. The army campaign sent some 650,000 Rohingya fleeing for Bangladesh, where refugees have given harrowing accounts of rape, murder and arson at the hands of security forces and vigilantes. Myanmar's military, which tightly controls information about Rakhine, denies any abuses and insists the crackdown was a proportionate response to crush the "terrorist" threat. ARSA have launched few attacks in recent months.  But the army reported that "about ten" Rohingya terrorists ambushed a car with hand-made mines and gunfire on Friday morning
Post a Comment
Read more

Thai penis whitening trend raises eyebrows

Image copyright LELUXHOSPITAL Image caption Authorities warn the procedure could be quite painful A supposed trend of penis whitening has captivated Thailand in recent days and left it asking if the country's beauty industry is taking things too far. Skin whitening is nothing new in many Asian countries, where darker skin is often associated with outdoor labour, therefore, being poorer. But even so, when a clip of a clinic's latest intriguing procedure was posted online, it quickly went viral. Thailand's health ministry has since issued a warning over the procedure. The BBC Thai service spoke to one patient who had undergone the treatment, who told them: "I wanted to feel more confident in my swimming briefs". The 30-year-old said his first session of several was two months ago, and he had since seen a definite change in the shade. 'What for?' The original Facebook post from the clinic offering the treatment, which uses lasers to break do
1 comment
Read more