Users store a lot of different data on cloud storage. When it comes to business, chances are a lot of that data is going to be private and confidential. As such, security in the cloud is one of the top factors that all enterprises should investigate when choosing a cloud provider.
A lot of cloud services allow you to share your data with others, should you wish. You can add others to a file or generate a link that you can send to them, allowing them direct access to the file.
Apparently, users of Dropbox and Box may have accidentally leaked access to some of their private data while generating the aforementioned URLs for sharing files.
Intralinks (which is a cloud competitor) found the security flaw while they were studying their Google Adwords data. The company paid to run a campaign that placed adverts when users searched for competitors. Their results found that some users were accidentally putting the shared file URL in their search bar, thus sending the search to Intralinks.
The company found that the revealed URLs contained all sorts of data, from mortgage applications, blueprints and tax returns. The company said that three hundred documents, five percent of their total hits, were revealed to them this way.
Dropbox have acknowledged this, but note it as being well known and that they don’t consider it a vulnerability. They simply urge users to be more careful about sharing links to third parties like search engines.
However, there has been another issue raised recently that Dropbox are trying to patch.
Whenever you click a link in your browser, the site you were currently on learns what website you were previously on through a referer header. This is common across all browsers and allows websites to better understand their traffic flow.
Some Dropbox users were sharing a link to a document that contains a hyperlink to a third-party website. That user, or the receiver of the file, then clicks the hyperlink within the document. At this stage, the referer header tells the third-party website where that users came from, thus displaying the shared document URL.
As a precaution, Dropbox disabled all shared links while they tried to solve the problem.
“We realise that many of your workflows depend on shared links, and we apologise for the inconvenience,” said Dropbox in a blog post. “We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments.”
Users since have since been given the ability to re-enable the disabled links, but at time of writing this will reintroduce the vulnerability as Dropbox have not found a solution. Whether such a solution can be found, or if it’ll remain as a recognised vulnerability, is currently unknown.
“Many people fail to use basic security features and take few precautions with even highly sensitive financial data,” said Intralinks. “The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured.”
How User Error Could Leak Private Cloud Data
No comments yet. Sign in to add the first!