Intralinks said that the privacy problem could apply to other consumer-based file sync and share applications. “We urge everyone to be careful about providing shared links to third parties like search engines.” “This is well known and we don’t consider it a vulnerability,” Dropbox said. This one involves users entering a shared link into a search engine which could pass that link onto an ad partner, Dropbox said.
“We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments.”ĭropbox also acknowledged a second scenario where a shared link could be leaked. “We realize that many of your workflows depend on shared links, and we apologize for the inconvenience,” Dropbox said. The recipient clicks on the link and the referrer header in the user’s browser discloses the original shared link to the third party website, Dropbox said, giving someone at the third party access to the link to the shared document. Users could be exploited by sharing a link to a document that contains a hyperlink to a third-party website. “In the meantime, as a workaround, you can re-create any shared links that have been turned off.”ĭropbox said it was not aware of any users losing data. “We’re working to restore links that aren’t susceptible to this vulnerability over the next few days,” Dropbox said in a statement. Shared links are a collaboration feature that allows user, especially in a business environment, to share and edit documents.ĭropbox rival Intralinks reported the vulnerability in November and said Dropbox responded that it did not believe the problem was a vulnerability.ĭropbox, however, today said it has taken steps to address the issue including patching the vulnerability protecting shared links going forward, and disabling access to previously shared links.
Dropbox has acknowledged and disabled a vulnerable shared links feature that exposed documents stored by the service to third parties.