Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Dropbox Storage Service Patches Privacy Issue

Cloud storage provider Dropbox said it has fixed a vulnerability that could expose user content to third-parties.

Cloud storage provider Dropbox said it has fixed a vulnerability that could expose user content to third-parties.

According to the company, the vulnerability impacted shared links to files containing hyperlinks. Users are permitted to share links to any file or folder in their Dropbox, Dropbox’s Aditya Agarwal, explained in a blog post. Files shared via links are accessible only to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
  • At that point, the referer header discloses the original shared link to the third-party website.
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document. 

When services do not require authentication by default, users can all too easily begin to leak information, opined security researcher Graham Cluley.

“In summary,” he blogged, “shared links that were intended for a limited, controlled audience, containing sensitive information may be disclosed to third-parties.” 

Dropbox said it is not aware of the issue being exploited, and has disabled access entirely for previously shared links. It is working to restore links that aren’t susceptible to the vulnerability during the next few days. In the meantime, customers can recreate any shared links that have been turned off, according to Agarwal.

“For all shared links created going forward, we’ve patched the vulnerability,” Agarwal blogged. “Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.