Tuesday, 6 May 2014

Dropbox and Box users warned of major link-sharing privacy flaw

Browser address bar with mouse cursor
Users of Dropbox and Box cloud services have been warned that generating links to share information with others can put sensitive data at risk through several basic flaws. Dropbox has already suspended this function while it rushes to fix the issue.
The flaws relate to links that users of the services can generate to share a document with a trusted source. The issues were uncovered by a rival of the two firms, Intralinks, during some research into a Google Adword campaign it was running.
During this work, Intralinks uncovered simple ways in which the links were easily accessible and allowed the documents that had supposedly only been shared between trusted sources, to be viewed by third parties.
The firm was able to access reams of sensitive data in this manner such as tax returns, bank records, mortgage applications, blueprints and business plans.
The flaw worked in two ways. Firstly, if the document contained a link within the text to a website, such as Intralinks, the referral data for that website would store the link of the document. This could then be clicked on, and the entire document would be visible.
Secondly, if a user put the link for the shared file in a search engine, rather than the URL bar, then the Google AdWords campaign Intralinks had running would gather this as a relevant search term, again making the document accessible.
John Landy, the chief security officer at Intralinks, wrote in a blog post that the flaw was a “disturbing privacy problem” and said web users should be wary of free storage services.
“To be clear, we gained access to files because users of file-sharing applications often aren’t taking simple precautions to safeguard their data. When used this way, all file sharing apps are potentially vulnerable,” he wrote.
“When using file-sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. In addition, many mingle personal data along with confidential company data, with no security in place."
In response to the issue, Dropbox said in a blog post that it has fixed the problem for any links now created, but that existing links shared in this manner have been disabled, which it acknowledged was not an ideal scenario.
"For all shared links created going forward, we’ve patched the vulnerability. For previously shared links to such documents, we’ve disabled access entirely until further notice," Dropbox said.
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments."
V3 contacted Box for comment on the flaw, but had received no reply at the time of publication.
Intralinks' Landy said firms should make sure employees are fully trained on which services are safe for corporate use and how to keep data secure.

“The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured."
The cost of data breaches was revealed by government research to be as high as £1.15m per incident, as firms face numerous threats to their data.

No comments:

Post a Comment