Dropbox has squashed a bug which impacted shared links to files that contained hyperlinks.
According to a blog by Aditya Agarwal, vice president of engineering at Dropbox, it has taken steps to address this issue and users do not need to take any further action. He explained that in the instance, if a Dropbox user shared a link to a document that contained a hyperlink to a third-party website and recipient clicked on that hyperlink in the document, the original shared link to the third-party website could be accessed by the webmaster of the third-party website.
The research by IntraLinks was reported yesterday, but Agarwal said Dropbox was unaware of any abuse of this vulnerability, but it has disabled access to shared links until further notice and it is working to restore links that were not susceptible to this vulnerability.
“We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments,” he said.
IntraLinks said it reported the issue to Dropbox in November 2013, but Dropbox had not determined it to be a vulnerability until it was widely reported by the media yesterday.
TK Keanini, CTO of Lancope, said that this was the reality of the cloud, where the good news is that you can always access anything, anytime, anywhere – the bad news is sometimes the bad guys can do the same.
“When people think about Usability Design, they also need to think about security. We want to make it easier, not harder for the user to manage their own security settings,” he said. “Designers will make mistakes along the way, but we must learn from these mistakes and correct them so that others can avoid them too.”
He said that the fundamental problem with the link share issue was that without a second factor of authentication, it should not be treated as anything but a public resource no matter how many people know.
“These services like Dropbox are awesome for productivity, but with this power comes responsibility. Users need to take more responsibility for the security of their files and demand that features be added so that they can manage their security better. Any other strategy simply will not scale to the internet.”
Rob Sobers, director of Varonis, said: “The primary danger of shared links, as implemented by most cloud services, is that they rely solely on security through obscurity. While obscurity is better than nothing, it’s certainly not great protection as we’ve seen.
“Couple this with the likelihood of user or admin misconfiguration due to lack of understanding and poor user interfaces and, as we’ve seen with Box, Amazon, and now Dropbox risk is high, so people should proceed with caution.”
