A major vulnerability was identified earlier this week in the online platform of Box and Dropbox that allows for the discovery of private file transfer links. This means private data can be read by third parties or indexed by search engines.
Discovery of the vulnerability
The vulnerability was discovered by cloud-based file locker Intralinks in a Google AdWords campaign in which its services are advertised using keywords that identify its competitors, which in this case are Box and Dropbox. The vulnerability exists when users share files via share links, which are then subsequently inserted into the search box (as opposed to the URL bar) in their browsers; this allowed Intralinks to collect the data in the AdWords campaign management interface.
In the same fashion, users are vulnerable to a slightly different attack that involves the relay of HTTP Referrer headers, as Dropbox outlines in this example scenario:
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
- At that point, the referrer [sic] header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
In the same post, Dropbox notes that the problem with the search box is "well known and we don't consider it a vulnerability." Ultimately, the only protection that the shared files have is that they are difficult to get to, requiring an exceptionally long URL to access — in effect, security through obscurity.
According to Intralinks, "To be clear, we gained access to files because users of file sharing applications often aren't taking simple precautions to safeguard their data. When used this way, all file sharing apps are potentially vulnerable. When using file sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. In addition, many mingle personal data along with confidential company data, with no security in place."
This statement illustrates a problem with the underpinning of such services: The security practices of Box and Dropbox rely on the end user to be competent enough to not expose their private data to the world. Interestingly, users of Dropbox for Business have the option to restrict shared link access to people inside a user group, a feature not offered to standard Dropbox users. Users of Box have somewhat more options; users can add expiration dates and password protection to otherwise open share links.
On May 7, 2014, Dropbox announced that it will be gradually re-enabling links that are not susceptible to the vulnerability, and provided a way for users to generate new links that are not susceptible. The following day, the company provided a utility for users to re-enable links regardless of their susceptibility.
Browsers are part of the problem
In the interest of usability, popular web browsers have undergone design changes that fundamentally alter the way people interact with browsers, and how exposed end users are to such technically complex things as URLs. Google Chrome has tested the concept of removing lengthy URLs, instead opting to display only the domain name, sans "http://" and "www." In theory, this type of behavior protects against phishing — to the extent that adding a directory that looks like a domain name (e.g., http://www.arbitrarydomain.tld/i/yourfinancialinstitution.com/) can appear to people who do not readily understand a web browser as genuinely being the website of their financial institution.
In addition, the address bar in Mozilla Firefox can and does pass off data to the default search engine (for users set to default, this is Google) in the event that a URL seems to be malformed. Firefox has the benefit of separating the address and search boxes, though the aforementioned befuddled users who do not understand browsers are prone to typing a URL into such search boxes, which is a vector for the vulnerability with Box and Dropbox.
Post your feedback
Is this issue overblown, or, a critical oversight by consumer cloud storage vendors? Should browser vendors act as an intermediary between the user and such basic things as a URL? Let us know in the comments section.
- Dropbox drops the security notification ball, again (ZDNet)
- Google Chrome's plan to hide URLs hits a snag (CNET)
- How Aaron Levie and his childhood friends built Box into a $2 billion business, without stabbing each other in the back (TechRepublic)
Disclaimer: TechRepublic, ZDNet, and CNET are CBS Interactive properties.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.