Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dropbox and Box Leaked Shared Private Files Through Google

Soulskill posted about 3 months ago | from the everything's-secure-until-it-isn't dept.

Cloud 92

judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links." Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue.

cancel ×

92 comments

Sorry! There are no comments related to the filter you selected.

To the cloud (3, Insightful)

Anonymous Coward | about 3 months ago | (#46936069)

...and this is why we should all be wary of cloud providers.

Re:To the URLbar! (1)

Anonymous Coward | about 3 months ago | (#46936137)

...and this is why we should all be wary of cloud providers.

And now we know why UX designers don't want to show the URL in Chrome anymore.

Re:To the URLbar! (5, Insightful)

immaterial (1520413) | about 3 months ago | (#46936219)

I've always hated the move toward "omnibar" seach field/URL field combos for this very reason. Add in dynamic search suggesting and every damn thing many (if not most) of the people on the planet put in that field gets sent to Google. Anything Google does with the URL bar is solely for their own advantage. No thanks.

Re:To the URLbar! (1)

dysmal (3361085) | about 3 months ago | (#46936253)

I agree and thoroughly hate the whole "omnibar" trend that is happening with the browsers but What alternative are you going to use once Google has successfully rolled out their "omnibar" crap? The Firefox camp is doing everything they can to fuck themselves over while trying to mimic Chrome. They'll roll out the same thing with FF ver 45 (in 6 weeks at the rate they're going). The only difference is that the FF version will be buggier than shit.

IE?

Re:To the URLbar! (2)

lgw (121541) | about 3 months ago | (#46937121)

Call me crazy, but I like IE (after I found adblock for it). The horror that is IE6 was long, long ago and you can turn off searching from the address bar. When I mis-type a URL (and anyone familiar with my posts knows I have about 1 typo per 5 words), it just sits there waiting for me to correct my typo - it doesn't send anything to anyone beyond the DNS server.
 

Re:To the URLbar! (1)

St.Creed (853824) | about 3 months ago | (#46938485)

I'm using IE at work, the version where there is no omnibar. I hate it. Every time I want a website I'm used to typing part of it the URL and hitting enter. With IE7 or 8 (not sure) I have to type in the whole URL correctly. Brrr...

Re:To the URLbar! (1)

Gr8Apes (679165) | about 3 months ago | (#46938671)

This is a history lookup, not a search result. No need to go outside your own browser, much less your own computer. For this reason I don't use chrome, and I turn off autosuggest on everything that can be turned off. I also don't use Chrome except for testing or to connect to Google. Frequently clearing all cookies helps as well.

Honestly, the omnibar setup may be the final stroke that blacklists all google addresses at my firewall. I've already been considering it and only having 1 machine proxy for google on intentional searches only. The price we pay for privacy and security.

Re:To the URLbar! (1)

parkinglot777 (2563877) | about 3 months ago | (#46940107)

Gr8Apes is correct. What you are talking is a part of omnibar functionality but is NOT what TFA is talking about (local v. remote data access)...

Re:To the URLbar! (2)

AK Marc (707885) | about 3 months ago | (#46936599)

I've been using (and loving) the omnibar for 15 years. That someone did it wrong isn't a problem with the feature, but the implementation. Opera had it long ago, though possibly not in exactly the same manner as done today.

Re:To the URLbar! (1)

TheRaven64 (641858) | about 3 months ago | (#46937203)

Privacy issues aside, it's also a UI disaster. Previously, I could switch from URL mode to search mode by hitting tab. It became a reflex - create new tab, focus is in URL bar, hit tab, type search term. It took several months to unlearn that bit of muscle memory. And now, rather than a key press that takes a fraction of a second, I have to rely on some flakey NLP code to determine whether I want a search or a URL. I significant amount of the time, it decides that my search term is actually something that wants to be autocompleted to a previous URL that I've visited, so I end up going to a random site. Or it decides that a search term with a dot in it (try searching for command.com) is a domain name, doesn't find it, and then searches a load of similar things and delivers me to a different random page. I've now got into the habit of hitting space at the end of every search, so it now uses exactly the same amount of key strokes for me as the old design in the best case and is less reliable.

Re:To the URLbar! (1)

mcvos (645701) | about 3 months ago | (#46937583)

Quite often, when I type a local url without the protocol in front, Chrome assumes I want to google for it. It's very annoying. I'm all for separating the search box from the address box.

Re:To the URLbar! (1)

MoonlessNights (3526789) | about 3 months ago | (#46939301)

The confusing thing is why this is so popular, anyway. As far as I see it, it is nothing more than Clippy, the next generation.

Maybe people only disliked Clippy because it seemed like a distraction. I suppose the "omnibar" wouldn't be as popular if, every time it got focus, put up a large overlay box with the content: "It looks like you are trying to type a URL".

Alternatively, it means people _would_ have liked Clippy if it just started silently writing the letter for you or if it sent the letter to Microsoft so they could finish it for you.

The address bar and any kind of search bar are different things with _very_ different uses. I don't understand why I would ever want to conflate them. It makes no sense from a UI perspective and is an absolute disaster from a privacy perspective.

Re:To the URLbar! (0)

Anonymous Coward | about 3 months ago | (#46941033)

Omnibar is keeping me from using Chrome and Opera. I like Firefox's separate URL and search bars and I hope they stay separate.

If it is linked, it is public... (4, Informative)

mlts (1038732) | about 3 months ago | (#46936073)

I've used DB to allow a couple colleagues to download some reports as well as larger amounts of data. IMHO, if a link is generated, even if the link isn't public, someone or something will find it and have the ability to snarf that file.

The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.

This way, even if the link appears on Google and Mallory does get a copy, other than size and the public keys used [1], the file is encrypted and useless.

[1]: One can always put the file in a WinRAR wrapper and send the password via encrypted E-mail as well, further obfuscating the contents.

Re:If it is linked, it is public... (5, Insightful)

hawguy (1600213) | about 3 months ago | (#46936159)

>The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.

You have a much different definition of "simple" than most people. Few people (who are not techies) find transferring a file via GPG or TrueCrypt to be "simple". Even getting them to download the file from a cloud provider can be a chore "I clicked on the link but nothing happened! What do you mean I need to look in my Downloads folder?"

Re:If it is linked, it is public... (3, Insightful)

ko7 (1990064) | about 3 months ago | (#46936877)

When dealing with 'users' of the caliber that you describe, it really isn't possible to securely exchange data. Unfortunately, most 'users' can't be trusted not to have the file scraped off of their own box once they've received it. Without a minimal amount of computer knowledge and skills (which appears to be beyond the capabilities of most users), it just isn't possible to guarantee any security at all.

not 100% true... (1)

Anonymous Coward | about 3 months ago | (#46938877)

What about the various "dropbox encryptors" out there? SecretSync/Viivo, Boxcryptor, Cloudfogger? They all provide "easy" to use client side encryption for the file sync and share guys (like Box/Dropbox)

Some of them even support Dropbox Sharing (both DBX Shares and Public Links) with back-end key management.

Re:If it is linked, it is public... (1)

bickerdyke (670000) | about 3 months ago | (#46937079)

The actual trick for this specific problem is actually even simpler: Have everyone sign up to dropbox (or GoogleDrive or whatever) and eliminite the need for the lazy "give file to anyone who knows the URL"-"Security". That's what logins are for.

Re:If it is linked, it is public... (1)

St.Creed (853824) | about 3 months ago | (#46938507)

Yup. I find it an extremely rare occasion where I have to send a Dropbox link out. I only do that for semi-public files anyway, otherwise they can indeed get an encrypted file and good luck with it.

Re:If it is linked, it is public... (0)

Anonymous Coward | about 3 months ago | (#46938823)

I'll make it simpler than that. Fire up an archiver of choice, be is WinRAR, StuffIt Deluxe, Compact Pro, WinZIP, any archiving program that supports AES.

Make a large password. Diceware is a secure offline means, KeePass, if you don't mind trusting it, can generate a password using random keyboard/mouse input, etc. Encrypt the archive with that. Send the key via E-mail and stick the link on whatever box site you like.

End user just grabs the file, inputs the password, all is done.

To be fancy, the password can be split into parts, one piece texted (iMessage has yet to be broken), one piece sent to a work account, and one piece to a home account. That way, an attacker either has to hack all those channels, or hack the endpoint... and if the endpoint is hacked, you are hosed anyway.

Keyfiles are more secure (especially with the way TrueCrypt XORs them so there is no need to put them in any order), but for a novice user, WinRAR + a password is the time tested warez hound method.

Re:If it is linked, it is public... (2)

theqmann (716953) | about 3 months ago | (#46936171)

It seems like the "vulnerability" that the article is talking about only happens when a recipient of the dropbox file link copies that link address into a google search query. If the user just clicks the link like a normal person, there is no problem.

Re:If it is linked, it is public... (1)

CSMoran (1577071) | about 3 months ago | (#46937397)

It seems like the "vulnerability" that the article is talking about only happens when a recipient of the dropbox file link copies that link address into a google search query. If the user just clicks the link like a normal person, there is no problem.

No, that's only half the problem. The other half is that if your shared document contains a link to, say, cnn.com and someone clicks this link straight from within the document, cnn.com can look at the referrer field and get the "secret" link to your document.

never underestimate... (0)

Anonymous Coward | about 3 months ago | (#46937425)

I know of at least one person who goes to their browser's home page (e.g. www.google.com) and types www.facebook.com in the search box to go to facebook....

Re:never underestimate... (1)

flyingfsck (986395) | about 3 months ago | (#46939905)

well, that is exactly what a combo URL search bar does anyway.

Re:If it is linked, it is public... (1)

ArsenneLupin (766289) | about 3 months ago | (#46937969)

If the user just clicks the link like a normal person, there is no problem.

This is also assuming that the user uses a "normal" mail program where you can actually just click on the link. Apparently, this is not necessarily possible in some of the Microsoft offerings.

Also, if the link is too long, the mail program may break it in 2, and not consider the whole thing to be the same link.

Re:If it is linked, it is public... (2)

blueg3 (192743) | about 3 months ago | (#46936405)

More simple, though "differently convenient", is to use the Dropbox sharing feature. The one where you share to individual users rather than making a public link. I thought the Dropbox application was pretty clear about the fact that the links were fundamentally public (though I'm in security, so I read things differently). The user-based sharing is less convenient, in that it requires some degree of "registration" with Dropbox to use it, but it has actual access controls.

If there's a "shared link" to the data, as you say, you should treat it as public. This is classic "security through obscurity" -- the only thing restricting access is that people don't happen to know the URL, but URLs turn out to be quite discoverable.

Re:If it is linked, it is public... (1)

gl4ss (559668) | about 3 months ago | (#46936481)

somehow the story is made about to be dropbox/box leaking files when the actual story is browsers leaking urls...

Re:If it is linked, it is public... (3, Informative)

blueg3 (192743) | about 3 months ago | (#46936557)

They do that by design. Referer is part of the spec. URLs -- or GET requests in general -- should not contain any private data. It's even CWE-598 [mitre.org] .

Re:If it is linked, it is public... (1)

blackest_k (761565) | about 3 months ago | (#46937821)

Actually it seems the real story is that dropbox has now disabled these links.
The link in the summary is full of people who used dropbox to share content with customers who now get a 404 or 403 instead.

It's understandable that they use dropbox this way, e.g new promotional leaflet on garage doors upload it to dropbox and share the link, simple anyone can do it.

Alternative options could be run a website with a cms system, require everyone to learn how to use it, make users create an account so they can access the content. not to mention you need a more powerful server to serve that content to more than a handful of people.
A lot of content management systems incorperate dropbox or similar to serve relatively large files so the server isn't being stressed with serving that content.

This fix has just created a major problem for a lot of organisations. A lot of files are not really private information just easier to serve with a simple system like dropbox, well it was till this 'fix' happened.

     

Re:If it is linked, it is public... (4, Interesting)

amxcoder (1466081) | about 3 months ago | (#46936733)

Yes, dropbox used to mention this in the documentation (don't know if they still do), but if you put it in your public folder, it is public. I believe they used to say that it was even accessible without a link, if someone knew (or guessed) the specific folder+filename. One reason why I keep everything inside subject folders (within the public area) and not just plopped into the public folder en-mass, as it makes it harder to guess as you would have to guess the folder-name as well.

On another note, another think I do when I send a document (like applications or forms with personal data on them), is I upload the file to a custom folder, then send the link to the recipient with the specific instructions that they let me know once they've downloaded it, so I can delete it off dropbox. That way, in most cases, it's only available for a few minutes to maybe a couple hours at most, and if anyone happens to intercept the URL, the chances of the file still being there are slim, as it's deleted as soon as the intended recipient gets it. The only way it can be stolen, is if someone intercepts the email AND tries to download the file faster than the recipient does. While it's not fool proof, it's not a bad idea completely. Surely it's better than attaching the file to an email that gets passed through several servers along the way and copies are kept at each of those points.

I have to say though, in most cases, when someone sends me a file, I despise when they want to do a "share" rather than send me a download URL. The share semi-permanently links my account to theirs at that point, and takes up space on my allotment of space. Just send me a download link.

Re:If it is linked, it is public... (1)

geirlk (171706) | about 3 months ago | (#46937379)

I have to say though, in most cases, when someone sends me a file, I despise when they want to do a "share" rather than send me a download URL. The share semi-permanently links my account to theirs at that point, and takes up space on my allotment of space. Just send me a download link.

Must say I share that sentiment when it comes to sharing within Dropbox. When 1 person shares 1 file with, say 5 persons, that 1 file is weighted against all 5 persons quotas, thereby "stealing" alloted space. I find that kinda morally dubious at best, as people pay for their quotas.

Re:If it is linked, it is public... (1)

St.Creed (853824) | about 3 months ago | (#46938525)

The upside of it is that you can also delete the file, thereby reclaiming all that nice space! :)

Re:If it is linked, it is public... (1)

jeffmeden (135043) | about 3 months ago | (#46940435)

Yes, dropbox used to mention this in the documentation (don't know if they still do), but if you put it in your public folder, it is public. I believe they used to say that it was even accessible without a link, if someone knew (or guessed) the specific folder+filename. One reason why I keep everything inside subject folders (within the public area) and not just plopped into the public folder en-mass, as it makes it harder to guess as you would have to guess the folder-name as well.

On another note, another think I do when I send a document (like applications or forms with personal data on them), is I upload the file to a custom folder, then send the link to the recipient with the specific instructions that they let me know once they've downloaded it, so I can delete it off dropbox. That way, in most cases, it's only available for a few minutes to maybe a couple hours at most, and if anyone happens to intercept the URL, the chances of the file still being there are slim, as it's deleted as soon as the intended recipient gets it. The only way it can be stolen, is if someone intercepts the email AND tries to download the file faster than the recipient does. While it's not fool proof, it's not a bad idea completely. Surely it's better than attaching the file to an email that gets passed through several servers along the way and copies are kept at each of those points.

For actual documents that can be PDFed the password based encryption function (set to aes128 or better, with a long password) is highly effective. You just need a pre-agreed password, or simply give the recipient a phone call and deliver the password verbally. For information that can't be PDFed, sadly there isn't anything as standard as PDF so obfuscation techniques may be the most effective approach.

Re:If it is linked, it is public... (0)

Anonymous Coward | about 3 months ago | (#46937353)

I've used DB to allow a couple colleagues to download some reports as well as larger amounts of data. IMHO, if a link is generated, even if the link isn't public, someone or something will find it and have the ability to snarf that file.

The trick is simple -- if the files are small, but too big to E-mail, PGP/gpg encrypt them, then send the links via a secure message. If the files are bigger (~50-100 megs or larger), then the file goes into a TrueCrypt volume that uses a keyfile, and the keyfile is GPG encrypted and E-mailed.

This way, even if the link appears on Google and Mallory does get a copy, other than size and the public keys used [1], the file is encrypted and useless.

[1]: One can always put the file in a WinRAR wrapper and send the password via encrypted E-mail as well, further obfuscating the contents.

An easier solution is to use one of the DropBox alternatives that let you limit access also to public links by a number of different mechanisms: Password it, set a max number of downloads and it becomes inaccessible after that, set a max number of days it will be available and then the link automatically expires, notifies you when the file is accessed.

Re:If it is linked, it is public... (0)

Anonymous Coward | about 3 months ago | (#46937439)

IMHO [...]

IMO... why be "humble" about one's own opinions? Surely we have good, considered reasons for holding them — so own 'em with pride. If "IMO" seems too brash, I propose "IMCO" (condsidered), or "IMWRO"/"IMRO" ((well-) reasoned).

Carry on...

Re:If it is linked, it is public... (1)

geirlk (171706) | about 3 months ago | (#46938141)

IMHO [...]

IMO... why be "humble" about one's own opinions? Surely we have good, considered reasons for holding them â" so own 'em with pride. If "IMO" seems too brash, I propose "IMCO" (condsidered), or "IMWRO"/"IMRO" ((well-) reasoned).

It's an initialism with more than one meaning. It could also mean "Honest".

IJWTHAOT - I Just Wanted To Have An Opinion Too.

Carry on...

I'm hauling along.

Easy solution? (0)

Anonymous Coward | about 3 months ago | (#46937651)

From the blog a user suggested:

"Wow. There was actually a very simple fix !

Change dbx links so that instead of directly serving the document, they generate a short lived token valid only for the client that accessed the link, then redirect to an URL using that token. Only serve documents from URLs containing a valid token.

This way third parties would only get referrer URLs they cannot use."

https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/

Re:Easy solution? (0)

Anonymous Coward | about 3 months ago | (#46941717)

Or just let the user put a password on the shared link. Send the link and the password to that file to anyone that you want to access it.

Re:If it is linked, it is public... (0)

Anonymous Coward | about 3 months ago | (#46939097)

it works with images too.. say on G+ or facebook. Someone can share an image with you, set it to private, etc so only *you* can see it. In the end it's pointless as you can just right click -> open image in new tab (or the similiar feature of your browser) and copy the URL generated at the top (sometimes ending in the image file extension or just a random looking URL), paste it to someone it ISN'T shared with or shouldn't see it and.. bang. There's the image.

Financial Natural Selection (2)

StormReaver (59959) | about 3 months ago | (#46936091)

This will work itself out. Those people stupid enough to put important data on other people's servers, where the have no control over who sees them and now, after being warned time and time again that this very thing is inevitable, will find themselves devoid of a bank account eventually. At that point, they will:

1) Learn their lesson the hard way.

2) Not have enough money left to pay to host their data on other people's money siphon.

3) No longer have a need to host anything anywhere.

Re:Financial Natural Selection (0)

Anonymous Coward | about 3 months ago | (#46936135)

It may work itself out, but the question is: how much collateral damage will there be?

Re:Financial Natural Selection (1)

Anonymous Coward | about 3 months ago | (#46936213)

Those people stupid enough to put important data on other people's servers, where the have no control over who sees them

Right, I forgot, any people that aren't fully versed in how technology works are "stupid". For the lay person operating the Dropbox desktop or phone client, it gives the impression that only you, and people you share a link with, can see your document. It isn't well explained that the document can be seen by *anyone* in possession of the URL, not necessarily only those you explicitly gave it to. If we ever want to improve security culture among non-computer-people, the view can't be that they're "stupid".

Re:Financial Natural Selection (0)

Anonymous Coward | about 3 months ago | (#46936301)

The responsibility for learning how something works falls on the person choosing to operate it. If you don't understand it, don't use it. It's not like dropbox is the only way to share files.

Keep in mind - this isn't a case of dropbox broadcasting files behind the scenes. A user is effectively sharing their links with people they don't intend to and then acting surprised when those other people have access to their files.

That's like me leaving out a box of jewelry on my front lawn with a note saying that only Alice should take it and then getting upset when it's gone and Alice tells me that she didn't get it

Re:Financial Natural Selection (2)

ArsenneLupin (766289) | about 3 months ago | (#46937989)

That's like me leaving out a box of jewelry on my front lawn with a note saying that only Alice should take it and then getting upset when it's gone and Alice tells me that she didn't get it

It's more like you're hiding the box in a good hiding place ("under the huge rock at the end of Elm's street"), telling Alice about the place. But then Alice naively asks Mallory "do you know how to get to Elm's street, you know the one with the huge rock at the end?", and then everybody acts astonished when Mallory beat Alice to the chase...

Re:Financial Natural Selection (1)

hink (89192) | about 3 months ago | (#46938969)

In the perfect world where you only use systems you understand, the provider of the system is completely forthcoming with telling you how it works, including the limitations and things it can't do. (I suppose Richard Stallman would be the king in that world)

In the real world, sales and PR departments will shriek like banshees on a moonless night if you use the word "limitation" when describing your system.

By the way, do you understand how your city water and sewer systems work? I mean, REALLY understand it?

Thats not fair to those users (3)

Camael (1048726) | about 3 months ago | (#46936323)

Those people stupid enough to put important data on other people's servers, where the have no control over who sees them and now, after being warned time and time again that this very thing is inevitable, will find themselves devoid of a bank account eventually. At that point, they will:

1) Learn their lesson the hard way.

Calling them stupid is not fair, I think. A majority of the older generation, especially those in their 60s or 70s are only just dipping their toes into using things like smartphones, iPads, emails, a little Facebook, Skype and maybe services like Dbox or Box to "keep their pictures". They did not grow up being exposed to personal computers or smart devices. They also grew up in a time when it was more common to trust authority figures. So now, they are bombarded by ads etc from M$, Apple and Google saying their services are safe- why would they not trust them?

Your comment about "being warned time and time again that this very thing is inevitable" is specious. Certainly, if you are a techie or geek, you would see and take note of these warnings form the tech sites that you visit. The average Joe would not see it, and even if he did would not understand.

You speak as someone who never had to guide an older family member/relative in how to use smart devices.

Re:Thats not fair to those users (1)

ArsenneLupin (766289) | about 3 months ago | (#46938005)

Calling them stupid is not fair, I think. A majority of the older generation,

Actually, the older generation are not the worst offenders. They are often surprisingly mature as far as risks in technology go.

The worst offenders are actually the facebook generation, who are so accustomed that they need to completely open up their browsers to play a game that they won't give any second thought if a malware site asks them to do the same.

Re:Thats not fair to those users (1)

StormReaver (59959) | about 3 months ago | (#46938353)

You speak as someone who never had to guide an older family member/relative in how to use smart devices.

I have guided my fair share of older people through technology, but I wasn't thinking of them when I called people stupid. You're right that it makes a difference, so I shouldn't be so judgemental. I was thinking of the tech types who still think that it's safe putting important data on some stranger's Internet-connected server, unable to see the inevitable consequences of doing so.

A majority of the older generation, especially those in their 60s or 70s....

Thank you for the perspective check, though. I'll keep older people in mind when I'm raging against stupendously bad choices.

Re:Thats not fair to those users (1)

St.Creed (853824) | about 3 months ago | (#46938579)

There's a difference between important data and confidential data. The data gathered by the LHC at CERN is pretty important, but it'd be hard to classify as "confidential". Unless they really accidentally created a black hole somewhere :)

If you know what you do, you can store everything in Dropbox, no problem. If you don't understand the consequences, steer clear. Pretty much the same advice given by Warren Buffett about shares, I think. It applies to a lot of stuff :)
 

Re:Thats not fair to those users (0)

Anonymous Coward | about 3 months ago | (#46940121)

yet those same seniors are the only ones that have the damn time to actually learn to use these tools and services in a productive and unconventional manner.

Hell I've got several seniors that do far more stuff online then I do and have fewer problems because they actualy understand that computers are full of magic smoke and ask me before doing something totally stupid. Keep in mind that most of them were already grown when the first computers became available and required enough people to send a manned mission to the moon.

Already 'Solved' By Torrent Sites (0)

Anonymous Coward | about 3 months ago | (#46936095)

Any good private torrent site redirects you to a specific page before forwarding you to a 3rd party link. This doesn't mask that you're using the site, but it does mask where you were on the site. I like the security feature, though it will get really annoying if every site starting doing this.

Google (1)

Anonymous Coward | about 3 months ago | (#46936113)

Google should've put a filter to stop advertisers from seeing searched URLs that are obviously private (e.g. containing unique tokens like session IDs, order IDs, access of otherwise "hidden" files, etc). It's not necessarily good practice to send some of this info as a GET parameter, but the fact is that it's a very common thing.

Most browsers will default the address bar to search if the input isn't a valid URL -- so all typoed URLs have probably been leaked to unknown 3rd parties too.

Re:Google (1)

jrumney (197329) | about 3 months ago | (#46936485)

Agree - this is a Google problem, not a Dropbox problem. Google should not start indexing data deep within a site just because a user once tried to search for a URL.

Re:Google (1)

drinkypoo (153816) | about 3 months ago | (#46936681)

Google should not start indexing data deep within a site just because a user once tried to search for a URL

And it won't, if you know how to use your robots.txt.

Re:Google (1)

sahuxley (2617397) | about 3 months ago | (#46936611)

Google has no interest in omitting data collection to mitigate other sites' security flaws.

Re:Google (1)

omnichad (1198475) | about 3 months ago | (#46943645)

That's up to the web site creator. Robots.txt is what determines whether a URL is truly private.

Not technically a leak (5, Informative)

Todd Knarr (15451) | about 3 months ago | (#46936121)

Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.

A document isn't private unless it requires at least some kind of authentication to access it, eg. setting up HTTP authentication, or using a system like Google Drive uses where you have to be logged in on your Google account to see documents shared with you.

Re:Not technically a leak (1)

jopsen (885607) | about 3 months ago | (#46936243)

Technically they didn't leak private files, because the files weren't ever private. They were public with the URLs not published in an index anywhere, so you had to know the URL to access them.

Yeah, but this is quite useful... I suspect the solution though is to do a redirect from the static access-url to a temporary content-url.
I do, however, still fear that history would leak... Maybe two redirects would do the trick. As the content wouldn't possible to able to see the static access-url.

Sure, authentication is nice... but sending non-published URLs is really nice.

Re:Not technically a leak (1)

jrumney (197329) | about 3 months ago | (#46936495)

Redirects won't work at all. The static access URL is the one that users are entering into the search box (because the browser hides the URL box, or puts them alongside each other and the user doesn't really know which is which), and is the one that falls into advertisers' hands. Any redirects that happen after the static URL are going to happen whether the user is the legitimate user, or someone else who got that static URL from a log file.

Re:Not technically a leak (1)

aXis100 (690904) | about 3 months ago | (#46936249)

Yeah, that's how I saw it too.

Dropbox and Box should be quite embarased by this, it's shamefully lazy design in a world where online security matters.

Re:Not technically a leak (1)

blueg3 (192743) | about 3 months ago | (#46936419)

It's an extremely common design, and they also implement the other major alternative -- sharing with individuals that use per-user authentication. You can share Dropbox files either way (or both ways at once).

Re:Not technically a leak (1)

gl4ss (559668) | about 3 months ago | (#46936489)

but the users deliberately wanted to just share an url and not share between specific dropbox users. the real problem is the mechanism that got the urls to be indexed by google. which is entirely due to browser design and affects any url.

Re:Not technically a leak (2)

buchner.johannes (1139593) | about 3 months ago | (#46936347)

They were public with the URLs not published in an index anywhere, so you had to know the URL to access them. Dropbox and Box simply forgot that those URLs would appear in HTTP Referer headers, exposing them in the logs of any site linked to from within those "private" documents. Security by obscurity... isn't.

No, you buy AdSense words, and it delivers matching URLs entered into Google -- then you grab the data there. Anyone can set up a data-collection like that.

There is no conceptual difference between entering a password and a secret URL. It is not security by obscurity, it is security by "something you know". Once someone else knows, it's not secure anymore.

The difference to passwords entered into other sites or Google is that it may not be immediately clear on what site to use the password, and with which user name.

Re:Not technically a leak (2)

Mask (87752) | about 3 months ago | (#46937043)

A document can still be shared, via URL and still be private as follows:

As a dropbox user I want to share a file with you, but you are not a registered user. Dropbox generates and sends you a URL. Once you open the URL from a browser you get a cookie and the URL is no longer valid without this cookie. After this, no one but you can use the URL.

Disadvantage: you can open it only from a specific browser on a specific machine.
Solution: If you open the URL from a different browser you get the option to get a new URL (to the original mail-box).

Not perfectly secure if someone (e.g. NSA) reads you mail, but good enough.

Sounds quite simple and reasonably secure to me.

I should have patented this great "invention". Clearly it is not trivial which is "proven" by the fact that dropbox did not implement it.

Re:Not technically a leak (1)

MoonlessNights (3526789) | about 3 months ago | (#46939363)

Actually, a document isn't private unless you physically own it (hence, no "cloud" anything) and control the access to it (private links, self-destructing links, HTTP sessions, etc). Relying on an external walled garden means that you gave them ownership (either legally, or physically).

As bandwidth increases, owning a link which resolves a piece of information will become increasingly equivalent to owning that information.

Re:Not technically a leak (1)

swillden (191260) | about 3 months ago | (#46939647)

Actually, a document isn't private unless you physically own it (hence, no "cloud" anything) and control the access to it (private links, self-destructing links, HTTP sessions, etc). Relying on an external walled garden means that you gave them ownership (either legally, or physically).

All of which is irrelevant to the vast majority of people, who can reasonably assume that the cloud provider is more interested in their business than in stealing their content.

To most, security here means "the people I want to give this to can see it, other people can't". The fact that some cloud server must have access to it, and that an employee of the company operating the cloud could get in there and see it doesn't matter, since it's reasonable to assume that a reputable cloud service provider has policies and procedures in place to detect and deter such abuse, and because it's in the interest of the provider to keep the data secure.

From an information-theoretic perspective, cloud security is a joke. From a practical perspective, it works pretty well and has for a very long time, well before computers were invented (storing sensitive data with trusted third parties is not new).

Re:Not technically a leak (1)

CauseBy (3029989) | about 3 months ago | (#46941671)

I totally agree. This is the opposite of a leak. This is called "sharing". If you don't want your private documents put on the internet then don't put your private documents on the internet. If you don't want Google to know about your secret links then don't tell Google about your secret links.

I'm having a hard time figuring out how this got onto Slashdot... oh, Soulskill, well that explains it.

Re:Not technically a leak (1)

omnichad (1198475) | about 3 months ago | (#46943673)

Neither Dropbox nor Box are going to accidentally publish their HTTP server's logs publicly.

It is up to them whether to put up a Robots.txt file to determine this. Both even have one- but it doesn't include shared private files:

Common Sense (0)

Anonymous Coward | about 3 months ago | (#46936167)

Common sense dictates that *if* you value your data in the slightest, you alone have access and control. Short of this, you've lost the battle before it has begun. This is a hard truth in light of all the "cool" services in the so-called "cloud". If you want a cloud backup, do a colo server you own that is encrypted. Have at least four copies of your data. One working copy, an encrypted at-hand copy, and two off-site encryted copies. Perhaps even a fith copy in a safety deposit box that you update twice a year. Short of this, you don't own your data.

Captcha: clouds

Common Stupidity is more like it. (1)

Camael (1048726) | about 3 months ago | (#46936365)

Common sense dictates that *if* you value your money in the slightest, you alone have access and control. Short of this, you've lost the battle before it has begun.

Do you use bank services? Credit cards? Money transfer services? Paypal? Square? Bitcoins?

Ok maybe your argument is that data and money is not the same. Lets restrict the argument to data alone. A policeman asks you for your driving licence. Your bank asks you for your transaction number. The online vendor you are trying to buy goods from asks for your credit card number. Are you going to refuse?

It is not remotely possible to make sure that "you alone have access and control" to your own data. At some point, you will have to share it with someone else, and therefore run the risk it may be exposed.

Dropbox leak? (1)

SeaFox (739806) | about 3 months ago | (#46936247)

People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents.

This sounds more like an ID10-T problem to me. If the user wants the links kept quiet they need to make sure not to type them in public places or link them in files they give others.

Re:Dropbox leak? (1)

blueg3 (192743) | about 3 months ago | (#46936433)

In the latter case, they're actually talking about you (party A) sharing a file that contains links. That file is shared to party B, who clicks on one of the links. The target of the link is a website, party C. The URL to the shared file is exposed to party C via the Referer header, which contains the URL to the shared file.

This exposure is non-obvious even to technical people, but it's commonplace. Paths get leaked all over the place, so information in paths absolutely must not be considered secure. For instance, TrueCrypt volumes (residing on non-encrypted systems) tend to leak paths to lots of their contents, via operating system features, to unencrypted space.

Issue is being resolve (1)

zisel (3561213) | about 3 months ago | (#46936393)

When dropbox wrote blog regarding that issue, it simply means that they did action to fix that issue. So, why making that issue big deal to public.

Encryption (2)

NitroWolf (72977) | about 3 months ago | (#46936461)

A more important question is why are you using a cloud provider without using encryption? No one should be storing any sort of sensetive file on a cloud service without first encrypting it. I use Boxcryptor on all of my cloud services... Truecrypt also works well for that sort of thing... anything. Use something to protect yourself instead of giving unfettered access to the cloud provider and their (lack of) security.

They have little reason to protect you.

Re:Encryption (1)

pla (258480) | about 3 months ago | (#46937747)

No one should be storing any sort of sensetive file on a cloud service without first encrypting it.

Came in here to say exactly this.

Whether or not you trust Joe Sixpack with your files, why the hell do you trust DropBox themselves? Corporate America has proven to us, over and over and over, that they'll sell us out to the highest bidding government in a frickin' heartbeat. Encrypt, encrypt, encrypt!


I use Boxcryptor on all of my cloud services... Truecrypt also works well for that sort of thing.

Personally, I just use 7zip with a password and AES encryption. It doesn't necessarily have to thwart a direct attack by the NSA, just keep out Joe Sixpack, Google, and nosey Dropbox employees casually looking for homemade porn.

Re:Encryption (0)

Anonymous Coward | about 3 months ago | (#46938873)

There are different levels of "sensitive".

DropBox unencrypted is actually a pretty reasonable place to store personal tax returns, in my opinion. Sure, the NSA or the FBI could get those files without searching your house, but you already sent them to the IRS so the NSA or FBI can just ask the IRS for the information. The trouble arose here becuase people were sharing their tax-returns with others, or putting entire items from their history into a search engine. (I don't see how a scanned picture of a tax-return could have an embedded link to Google ... perhaps it was in a zip file, and another document in the zip file had such a link?)

Re:Encryption (0)

Anonymous Coward | about 3 months ago | (#46937885)

When clouds allow PARTIAL file uploading then sure, we can use TrueCrypt volume container files. Using GnuGP on files that get updated frequently is a strain on the workflow. Yes it is a workflow issue.

Unfortunately all this can be solved by using TrueCrypt volume containers, but this requires supporting partial file uploading due to bandwidth usage and thus time.

This is why you don't use external clouds.. (1)

Anonymous Coward | about 3 months ago | (#46936529)

Box and Dropbox are forbidden where I work, as they host data on external servers. Company data should be stored on company servers.

Re:This is why you don't use external clouds.. (1)

AK Marc (707885) | about 3 months ago | (#46936609)

They are forbidden where I am too. Putting SOX or customer data on them is not just frowned upon, but illegal (and no, not SOX data, but data that falls under SOX rules).

Re:This is why you don't use external clouds.. (1)

FearTheDonut (2665569) | about 3 months ago | (#46940491)

Why is storing SOX or customer data r/t SOX on Box or DropBox illegal? Is it an auditing / Access Control issue? Or is it the fact that it's merely kept on an owned server?

Re:This is why you don't use external clouds.. (1)

AK Marc (707885) | about 3 months ago | (#46943083)

Illegally sending sensitive insider information that could affect stock price to a 3rd party is considered illegal. That you "trust them not to tell" doesn't change that.

Privacy laws prevent sharing of customer data with 3rd parties without explicit permission, and we have explicit permission for billing and collections only, as far as I know. So customer data is out.

So any publicly traded company is likely breaking the law if they use dropbox for anything not cleared for public distribution.

This is truly shocking (0)

Anonymous Coward | about 3 months ago | (#46936643)

This is truly shocking, NOT!

It's the damn referer (0)

Anonymous Coward | about 3 months ago | (#46936813)

I've always disabled the HTTP referer, because it's a damn spy tool to begin with.

Sleep well, citizens! (1)

Guppy06 (410832) | about 3 months ago | (#46937051)

Condi is on the job!

My tap leaks every time I turn the knob. (2)

crioca (1394491) | about 3 months ago | (#46937149)

Drop/Box gave these users the option to make these files publicly accessible, they chose to make them publicly accessible, which made them publicly accessible. THE HORROR!

How is this getting reported? Is this some kind of weird post Heartbleed security reporting bandwagon? /. editors, this is a wood league effort, step it up please.

Open source alternative... (0)

Anonymous Coward | about 3 months ago | (#46937323)

www.syncthing.net is nice.

Also every 'share this link' button does this (0)

Anonymous Coward | about 3 months ago | (#46937383)

Not forgetting that every time you use one of those 'share this link' or 'send link' from an app or website button the third-party link-sharing service adds it to their index - and most also do a test GET request to verify that the link works.

Dropbox makes a minor problem 100x worse (0)

Anonymous Coward | about 3 months ago | (#46937575)

Dropbox claim to have fixed this problem, but they haven't they’ve made an obscure problem into a far first one for any of their users that rely on distributing stable links to files. All those links are now broken, and recreating the links (which gives a new URL) doesn’t fix the problem of all the emails or other documents that we’ve got out there with links that are now 404. Good move Dropbox break one of the core features of your service just as many of us are thinking of moving because of their appointment of Condoleza Rice (prominent supporter of warrantless wiretaps) to their board. Only think keeping us their was the quality of their service, that’s now been blown.

end-to-end encryption (0)

Anonymous Coward | about 3 months ago | (#46937813)

I prefer private file-sharing clouds, because you have the full control of your data.
Check out arXshare http://www.arxshare.com">arXshare [arxshare.com] as an alternative.
It is much more lightweight than others, and does end-to-end encryption.

Customer Error (1)

1080bogus (1015303) | about 3 months ago | (#46939249)

Someone typed a full, unsecured, web link into a search and Google AdWords reported it to the advertiser. I don't believe this would be considered a security issue or flaw with any cloud provider. This is customer error, not securing sensitive information with a password or permissions. If anything, it'd be a flaw with Google AdWords reporting the full search terms, but even that is stretching it.

A Non Issue - FUD From a Competitor (1)

entrigant (233266) | about 3 months ago | (#46940133)

The "cloud" hate is strong here so I suppose I shouldn't be surprised that nobody has mentioned this yet, but this is quite simply a non issue. Box and Dropbox allow you to share files publicly, but it is not the default. While each have had genuine security issues in the past, this is not one. This is simple, common user ignorance. Both services have proper and secure sharing methods to share documents with other users of the service that require authentication on both ends.

What happens is:

- User clicks "Share dropbox link" from the context menu OR user places file into a pre-configured public folder
- User gives link to recipient
- Recipient enters it into a browser with one of those horrible combo search/url bars
- Link is indexed by the search engine

The important thing to remember is that that link does not exist before the user selects that action. These links also expire, and there is also an "Unshare" explicit action.

Doesn't affect me (0)

Anonymous Coward | about 3 months ago | (#46954753)

Everything I've ever linked anyone from dropbox was in a 'public' folder.
I'm okay with everything in there being linked and shared around the net; if I wasn't, I wouldn't have put them there.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>