Another day, another vulnerability found in Dropbox, lucky for them this time Box gets to share in the problem. These vulnerabilities both center around shared files and the lack of privacy settings around shared files.
The shared link disclosure vulnerability happens with a person with a shared link copies the link and instead of pasting it into the address bar and going it ends up pasting the shared link into a search engine, such as Google. The returning search engine results page with ads on it will display and the advertisers that are paying for those ads are able to see the complete shared URL that was pasted as the search term.
This could be fixed soon on Google since AdWords advertisers are going to be getting not provided keywords instead of the actual keywords people type in. Until then it could be an issue for people.
The second vulnerability is called a hyperlink disclosure, or in my words a referral disclosure. If a shared file contains a link to another website and that link is clicked the external website will often see a referral in their logs of where that visitor came from exposing the complete URL of the shared file. This is done automatically in the browser. There are ways to prevent a referral from being sent but the majority of people probably do not know of bother with disabling it.
The problem with both of these flaws is really the fact that the shared file has no type of security check to see if the person accessing the file is actually the person that should be accessing the file. Box does provide some tools to prevent this but clearly they need to do more to save people from themselves.
This is also a good reminder that if you don’t want something out there on the Internet you need to take some extra precautions to keep it safe. Using the tools Box gives you to make links expire or restricting access. Dropbox users that use the free or regular Dropbox have it a litte harder since Dropbox does not offer any type of sharing restrictions, but you can delete shares after you know you will not need them.
Other alternatives are to use other services that offer sharing but require passwords with the shared users so the files are inaccessible without the proper password.