People using file storage services, such as Dropbox and Box, are being warned that they are at risk of inadvertently leaking their own files.
Intralinks – which is a competitor – said it found sensitive files, such as mortgage records. The problem centred on the use of the services’ sharing function that generated a public link.
As a precaution, Dropbox has disabled access to links that have been previously shared.
It said it had also implemented a patch to prevent shared links from being exposed from now on.
“We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments,”the company said in a blog post.
“We’re working to restore links that aren’t susceptible to this vulnerability over the next few days.”
Box told the BBC: “When a user generates an open shared link, we display a warning message to help them understand the permissions for that content.
“We also present several options to help users manage access to their content (for example, links can be password protected or assigned expiration dates).
“In addition, company admins can ensure organisation-wide secure sharing by setting shared link defaults to company-only or collaborator-only (people in the same shared folder).”
Security researcher Graham Cluley said identity thieves could use the method to “scoop up” data.
“I think these services need to be more upfront with warnings,” he told the BBC.
However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.
Referral data
Mr Cluley has outlined suggestions on his blog for how users can restrict access to the public files.
Both websites offer ways to tighten security on shared links, but doing so limits flexibility.
“This is the eternal battle sites like this face,” Mr Cluley added. “It’s security versus functionality.”
Dropbox, Box and most other cloud hosting services often give users the option of creating a shareable web link for their files.
It means users are able to simply send a web address – made up of a string of letters and numbers – for someone to directly download a file without needing to log in.
Because of the complexity of the link, it is very difficult to guess – meaning that while the link is technically public, it is unlikely anyone would be able to access it by chance.
However, Intralinks discovered that the links were being exposed in two ways not previously considered.
Firstly, it discovered that shared links were often appearing in websites’ referral data.
Many websites look at referral data when analysing their traffic to get an insight into how visitors got to their site.
Intralinks found that if a link to a website is included in a file shared on Dropbox, and subsequently clicked within the web viewer, the website owner would see the shared link in its referral data – and therefore be able to access the file.
Dropbox said its patch has now fixed the problem.
Google ads
Furthermore, the company had been running a Google advertising campaign, and had paid to have an advert for Intralinks appear in Google’s search results whenever someone searched for “Dropbox” or “Box”.
Companies that use Google’s search advertising service are sent an anonymised breakdown of what users had searched for in order to find their advertising.
Intralinks found that many people would put the entire shared link into a Google search box, and therefore Intralinks would subsequently see those links in the breakdown data from Google.
While copying and pasting a download link into Google’s search engine might appear to be odd behaviour, Intralinks said “a few hundred documents” were exposed to them in this way.
Dropbox’s patch has not addressed this particular problem, Mr Cluley said.
Intralink’s chief technology officer for Europe, Middle East and Africa Richard Anstey said: “Most internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the internet address bar – it’s an easy mistake to make.
“However, what they don’t realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an ‘adword’ that closely matches any part of that link.”
Follow Dave Lee on Twitter @DaveLeeBBC
Source: BBC