It’s come to light that file sharing and cloud storage services such as Dropbox and Box allow users to "inadvertently” leak their own files due to the way that public sharing links are generated. According to competitor Intralinks, it was able to find and access links which allowed it to access sensitive files.
According to top security researcher Graham Cluley, the problem isn’t so much a bug as "an unexpected consequence of user behaviour.”
However, he went on to say that companies offering such services should be more upfront about the risks involved as they could lead to identity theft.
Box did not respond to a request from the BBC for a comment, but Dropbox said that it has disabled access to links which have previously been shared publically, as well as implementing a patch to fix the issue for future links.
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments," the company said in a blog post .
"We're working to restore links that aren't susceptible to this vulnerability over the next few days."
According to Intralinks , the privacy flaw was discovered by accident whilst the company was analysing Google Adwords and Analytics data which mentioned competitor names. During this, the company say that they "inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data.”
"Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans – all highly sensitive information, some perhaps sufficient for identity theft and other crimes.”
"This is the eternal battle sites like this face," Mr Cluley said. "It's security versus functionality."
However, whilst the links are public, their nature means that it’s unlikely they would be discovered by chance, as they contain a long, random string of letters and numbers that are designed to be very difficult to guess.
The biggest problem seems to be due to links being entered into search boxes, which are then picked up by Google and exposed in referral data in Adwords and Analytics. If a user of these services then clicks on the links, they are taken to the referring link’s location, which in this case is the cloud files.
Whilst Dropbox says it has issued a patch to solve the problem, Mr Cluley says that it hasn’t "addressed this particular problem.”
For the sake of safety, these links should not be entered into a search engine or any record kept in such a way that it can be accessed by someone other than the user and those they have shared files with.
The news will also be a wake-up call for the many companies that still use commercial, free, cloud storage. It’s been known for some time that these services are not secure enough to offer enterprise grade protection and businesses should use alternative, paid and secure cloud storage services.