Dropbox has revealed a major loophole in its cloud service regarding document sharing and access by unintended users.
The firm has mentioned that the unintended users can access the documents from the shared file links that a Dropbox user shared with the intended recipient, if a certain set of actions occurs.
The firm explains the vulnerability opens up when a Dropbox user shares a link to a document that contains a hyperlink to a third-party website and the authorized recipient of the document clicks on the hyperlink in the document. Once clicked, the referrer header (designed to understand web traffic sources) reveals the original shared link to the third-party website enabling someone such as the webmaster of the third-party website to access the link to the shared document.
To curb the issue for the time being, Dropbox has taken numerous steps. For previously shared links to such documents, Dropbox has disabled access until further notice, and says it is working to restore links that aren't susceptible to this vulnerability "over the next few days."
In the meantime, as a workaround, Dropbox has allowed users to re-create any shared links that have been turned off by them. The company also said that for all shared links created going forward, it has patched the vulnerability. The Dropbox for Business users have the ability to restrict their shared file link access to people in their circle. Files with such access controls in place already are said to be safe.
"We realize that many of your workflows depend on shared links, and we apologize for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments," mentioned the official blog post.
Additionally, Graham Cluley, security expert, adds in his blog that the same vulnerability can also affect the Box cloud service. "Many cloud data storage services provide users with a method to share links with others. For instance, when a user creates a shareable link on Dropbox or Box, anyone with that link can access the data. You don't even have to be a registered user of the service to access a shared link."
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.