Cloud storage provider Dropbox said it has fixed a vulnerability that could expose user content to third-parties.
According to the company, the vulnerability impacted shared links to files containing hyperlinks. Users are permitted to share links to any file or folder in their Dropbox, Dropbox’s Aditya Agarwal, explained in a blog post. Files shared via links are accessible only to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
- At that point, the referer header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
When services do not require authentication by default, users can all too easily begin to leak information, opined security researcher Graham Cluley.
“In summary,” he blogged, “shared links that were intended for a limited, controlled audience, containing sensitive information may be disclosed to third-parties.”
Dropbox said it is not aware of the issue being exploited, and has disabled access entirely for previously shared links. It is working to restore links that aren’t susceptible to the vulnerability during the next few days. In the meantime, customers can recreate any shared links that have been turned off, according to Agarwal.
“For all shared links created going forward, we’ve patched the vulnerability,” Agarwal blogged. “Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected.”