This statement illustrates a problem with the underpinning of such services: The security practices of Box and Dropbox rely on the end user to be competent enough to not expose their private data to the world. In addition, many mingle personal data along with confidential company data, with no security in place.” When using file sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. When used this way, all file sharing apps are potentially vulnerable. In the same post, Dropbox notes that the problem with the search box is “well known and we don’t consider it a vulnerability.” Ultimately, the only protection that the shared files have is that they are difficult to get to, requiring an exceptionally long URL to access - in effect, security through obscurity.Īccording to Intralinks, “To be clear, we gained access to files because users of file sharing applications often aren’t taking simple precautions to safeguard their data. Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.At that point, the referrer header discloses the original shared link to the third-party website.The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.In the same fashion, users are vulnerable to a slightly different attack that involves the relay of HTTP Referrer headers, as Dropbox outlines in this example scenario: The vulnerability exists when users share files via share links, which are then subsequently inserted into the search box (as opposed to the URL bar) in their browsers this allowed Intralinks to collect the data in the AdWords campaign management interface. The vulnerability was discovered by cloud-based file locker Intralinks in a Google AdWords campaign in which its services are advertised using keywords that identify its competitors, which in this case are Box and Dropbox. This means private data can be read by third parties or indexed by search engines. Dropbox and Box leak files in security through obscurity nightmareīox and Dropbox have fallen victim to an exploit that allows privately shared files to be read, due to poor security practices and poor design choices in browsers.Ī major vulnerability was identified earlier this week in the online platform of Box and Dropbox that allows for the discovery of private file transfer links.
0 kommentar(er)
