How safe is it to store and share files in cloud-based file sharing services?
Apparently not very much, as one leading cloud service provider rushed a few days ago to roll out a fix to a vulnerability that would allow a third party to access documents being shared by two users through a cloud-file sharing service.
Dropbox said it is unaware of any instance indicating the flaw being abused, but just the same, advised its customers to take precautionary measures.
“We wanted to let you know about a web vulnerability that impacted shared links to files containing hyperlinks,” said Aditya Agarwal, vice-president of engineering at Dropbox, in post on the company’s web site. “We’ve taken steps to address this issue and you don’t need to take any further action.”
Agarwal then proceeded to provide a background on how hyperlinks are shared between Dropbox users and how headers on these links could be used by a third party to access the links to the documents being shared.
The potential of having share links to stored documents hijacked by third parties was earlier made public in a report by Intralinks Holdings Inc., a provider of enterprise content management and coloration solutions. The company said it was doing a routine analysis of Google AdWords and Google Analytic data that mention names of Intralinks’ competitors, Dropbox and Box, when it found the flaw.
“We inadvertently discovered the fully clickable URLs (uniform resource identifiers) necessary to access these documents that led us to live folder contents, some with sensitive data,” according to a post on the CollaboristaBlog maintained by Intralinks. “Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans – all highly sensitive information, some perhaps sufficient for identity theft and other crimes.”
Intralinks said they stumbled on the issue because “file sharing solution users created links for their files and entered them in the search box instead of the URL box in their Web browsers.” This enabled Intralinks to access the share links when it the company ran a Google AdWords campaign.
In his post, Agarwal of Dropbox explained that files shared via links are only accessible to people who have the link. However, shared links to documents can be “inadvertently disclosed to unintended recipients” as illustrated in this scenario:
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document
- At that point, the referrer header discloses the original shared link to the third-party website
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document
He said Dropbox has taken the following steps to prevent the flaw from being exploited:
- For previously shared links to such documents, Dropbox disabled access entirely until further notice
- Dropbox is working to restore links that aren’t susceptible to this vulnerability over the next few days
- In the meantime, as a workaround, users can re-create any shared links that have been turned off. Follow this link to learn how
- For all shared links created going forward, Dropbox patched the vulnerability
Dropbox for Business customer the option to restrict shared link access to people in their Dropbox for Business team. Links created with those access controls were not affected.
Intralinks also provided the following steps to protect data:
- Check sync and share service to see if it supports privacy settings – Make sure that the product you use supports “privacy” settings. This ensures that only people you specifically invite will be able to access a file. The system should also be able to support authentication, with a requirement that users identify themselves and have a password
- Set account to ‘private’ using basic security settings – Most file sync and share applications default to a ‘public’ setting, which means that anyone who has a link to your files can readily access them. It is recommended that you set your account to “private” by default, and then specifically invite people with whom you want to share
- If you’ve already shared sensitive files in a public folder, delete them – If you’ve already shared items that are not private, don’t change the status – delete the files and re-upload them in a new, private folder. Changing the folder status from public to private is not a foolproof way to protect files you have already shared
- Delete old files that you don’t need anymore – This reduces the likelihood of old and forgotten but still sensitive files being compromised
- Keep business files and personal files in separate accounts