Cloud storage has always caused security worries, from the consumer to business level, and a couple of major online storage providers have just encountered serious problems regarding users who could have accidentally leaked their own files.
This issue was flagged up in relation to storage lockers Dropbox and Box, with a file-sharing competitor, Intralinks, pointing the problem out.
When examining Google AdWords and Google Analytics data pertaining to its rivals, Intralinks found clickable URLs which led to folders that contained all manner of sensitive data stored on Dropbox and Box, including tax returns, mortgage applications, business plans and banking data.
Dropbox responded quickly, and made a blog post explaining how this particular web vulnerability could potentially expose links to files which have been shared.
A shared link should, of course, only be usable by the recipient, but if a Dropbox user shares a link to a document which contains a hyperlink to a third-party website – and the recipient of the share clicks that hyperlink – the webmaster of the third-party site could gain access to the Dropbox user's shared material via the referrer header, which contains the original shared link. Because the Dropbox link isn't protected in any manner – there's no authentication required – anyone can directly access the private contents of the linked folder, if they get hold of the link.
Dropbox said it wasn't aware of any exploitation of this flaw, and has moved to patch it up, disabling all previously made links to such documents just to be safe. The service said it would restore links which weren't vulnerable over time going forward, but you can always simply recreate them yourself if you don't want to wait. Dropbox has patched up its system so any future shared links won't be susceptible in this manner.
However, a private link can also be spilled not just by this method, but by the recipient of a shared link accidentally pasting it into a search engine rather than the URL bar – an easy enough mistake to make. In this case, the advertising server receives the shared link in the referring URL if a user clicks an ad.
Dropbox didn't mention the latter problem – and of course Box didn't mention anything at all, with the service still yet to respond. We'd expect a statement pretty soon, though.
Meantime, if you use one of these services, check out security expert Graham Cluley's post on the matter for further advice about the action you can take against these issues.