Warning over unintentional file leak from storage sites Skip to main content

Warning over unintentional file leak from storage sites

Warning over unintentional file leak from storage sites
Dropbox artwork  
Dropbox has moved to fix the issue

Related Stories

People using file storage services, such as Dropbox and Box, are being warned that they are at risk of inadvertently leaking their own files.

Intralinks - which is a competitor - said it found sensitive files, such as mortgage records.
The problem centred on the use of the services' sharing function that generated a public link.

As a precaution, Dropbox has disabled access to links that have been previously shared.
It said it had also implemented a patch to prevent shared links from being exposed from now on.

"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments," the company said in a blog post.

"We're working to restore links that aren't susceptible to this vulnerability over the next few days."

Box has not responded to the BBC's request for a comment.

Security researcher Graham Cluley said identity thieves could use the method to "scoop up" data.

"I think these services need to be more upfront with warnings," he told the BBC.
However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.

Referral data
Mr Cluley has outlined suggestions on his blog for how users can restrict access to the public files.

Both websites offer ways to tighten security on shared links, but doing so limits flexibility.
"This is the eternal battle sites like this face," Mr Cluley added. "It's security versus functionality."
Box headquarters in London  
Box is another highly successful file storage service
Dropbox, Box and most other cloud hosting services often give users the option of creating a shareable web link for their files.

It means users are able to simply send a web address - made up of a string of letters and numbers - for someone to directly download a file without needing to log in.

Because of the complexity of the link, it is very difficult to guess - meaning that while the link is technically public, it is unlikely anyone would be able to access it by chance.

However, Intralinks discovered that the links were being exposed in two ways not previously considered.

Firstly, it discovered that shared links were often appearing in websites' referral data.
Many websites look at referral data when analysing their traffic to get an insight into how visitors got to their site.

Intralinks found that if a link to a website is included in a file shared on Dropbox, and subsequently clicked within the web viewer, the website owner would see the shared link in its referral data - and therefore be able to access the file.

Dropbox said its patch has now fixed the problem.

Google ads Furthermore, the company had been running a Google advertising campaign, and had paid to have an advert for Intralinks appear in Google's search results whenever someone searched for "Dropbox" or "Box".

Companies that use Google's search advertising service are sent an anonymised breakdown of what users had searched for in order to find their advertising.

Intralinks found that many people would put the entire shared link into a Google search box, and therefore Intralinks would subsequently see those links in the breakdown data from Google.

While copying and pasting a download link into Google's search engine might appear to be odd behaviour, Intralinks said "a few hundred documents" were exposed to them in this way.

Dropbox's patch has not addressed this particular problem, Mr Cluley said.

Intralink's chief technology officer for Europe, Middle East and Africa Richard Anstey said: "Most internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the internet address bar - it's an easy mistake to make.

"However, what they don't realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an 'adword' that closely matches any part of that link."

http://www.bbc.com/news/technology-27285786

Comments

Popular posts from this blog

Chronology of the Press in Burma

1836 – 1846 * During this period the first English-language newspaper was launched under British-ruled Tenasserim, southern  Burma . The first ethnic Karen-language and Burmese-language newspapers also appear in this period.     March 3, 1836 —The first English-language newspaper,  The Maulmain Chronicle , appears in the city of Moulmein in British-ruled Tenasserim. The paper, first published by a British official named E.A. Blundell, continued up until the 1950s. September 1842 —Tavoy’s  Hsa-tu-gaw  (the  Morning Star ), a monthly publication in the Karen-language of  Sgaw ,  is established by the Baptist mission. It is the first ethnic language newspaper. Circulation reached about three hundred until its publication ceased in 1849. January 1843 —The Baptist mission publishes a monthly newspaper, the Christian  Dhamma  Thadinsa  (the  Religious Herald ), in ...

Sri Bhaddanta Chandramani Mahathera

The Life Story of A Distinguished And Outstanding Bhikkhu The Most Venerable Saradawpharagree Sri Bhaddanta Chandramani Mahathera The Buddhist missionary Saradaw Ashin U Chandramani was endowed with great gifts and led a famous and long life. He was a very well known, distinguished and outstanding Bhikkhu Mahathera. While living in the Kushinagar Monastery, a place close to where the Lord Buddha had passed away to Nirvana, the Government of India had offered, and he had accepted, the highest, most honourable and respected title "Guru Guru MahaGuru". He became the first ever President of all Buddhists in India.A World Buddhist Conference took place in Kathmandu during the reign of King Mahindra of Nepal. The Conference was very well attended by over one hundred thousand Buddhists from various parts of the world and it was opened by King Mahindra himself. As requested by the King, Saradawpharagree blessed all the participants with the power of Triple Gems...

Thai penis whitening trend raises eyebrows

Image copyright LELUXHOSPITAL Image caption Authorities warn the procedure could be quite painful A supposed trend of penis whitening has captivated Thailand in recent days and left it asking if the country's beauty industry is taking things too far. Skin whitening is nothing new in many Asian countries, where darker skin is often associated with outdoor labour, therefore, being poorer. But even so, when a clip of a clinic's latest intriguing procedure was posted online, it quickly went viral. Thailand's health ministry has since issued a warning over the procedure. The BBC Thai service spoke to one patient who had undergone the treatment, who told them: "I wanted to feel more confident in my swimming briefs". The 30-year-old said his first session of several was two months ago, and he had since seen a definite change in the shade. 'What for?' The original Facebook post from the clinic offering the treatment, which uses lasers to break do...