Dropbox confirms privacy glitch that compromises users’ files

One of the world’s most popular file-storage companies, which has its European hub in Dublin, has confirmed a glitch in its system meant that users’ private files, including financial information, could be accessed by a third party.

Dropbox confirms privacy glitch that compromises users’ files
Wed, 07 May, 2014 - 01:00
Stephen Rogers

Dropbox, which has its headquarters in San Francisco, allows users to access and share documents and digital content with anyone through a range of devices.

Users share links to any file or folder in their ‘dropbox’ and those links are supposed to be accessible only to people who had the link.

However, the company has confirmed that shared links to the documents could be “inadvertently disclosed” to unintended recipients due to a “referer header”.

Whenever a person clicks on a link in any browser, the site they are going to learns where they came from using a referer header. It is designed to enable websites to better understand traffic sources and is standard practice implemented across all browsers.

The glitch in Dropbox’s system emerged when a user shared a link to a document that contains a hyperlink to a third-party website.

“The user, or an authorised recipient of the link, clicks on a hyperlink in the document,” the company said.

“At that point, the referer header discloses the original shared link to the third-party website. Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.”

Dropbox rival Intralinks said the glitch also affected another company, Box. It claimed it had been able to gain access to confidential files, including tax returns, bank records, mortgage applications, blueprints, and business plans.

Dropbox said it was “unaware of any abuse of this vulnerability”, but that, for its users’ safety, it had taken a number of steps.

For previously shared links to such documents, it has disabled access entirely until further notice. It said it was working to restore links that aren’t susceptible to the vulnerability over the coming days.

“In the meantime, as a workaround, you can recreate any shared links that have been turned off,” the company said.

For all shared links created from now on, the vulnerability has been “patched”.

“Additionally, if you’re a Dropbox for Business customer, you have the option to restrict shared link access to people in your Dropbox for Business team. Links created with those access controls were not affected,” it said.

“We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments.”

CONNECT WITH US TODAY

Whatsapp logo

WHATSAPP

Newsletter logo

NEWSLETTERS

Notification logo

NOTIFICATIONS

Be the first to know the latest news and updates

More in this section

'The Late Show with Ryan Tubridy': Presenter to host new YouTube series in 2026 'The Late Show with Ryan Tubridy': Presenter to host new YouTube series in 2026
New laws to help courts in other EU states order 'e-evidence' from here lack safeguards, says Oireachtas committee New laws to help courts in other EU states order 'e-evidence' from here lack safeguards, says Oireachtas committee
‘Why isn’t everyone talking about Domhnall Gleeson?’: Irish actor wins first Hollywood award ‘Why isn’t everyone talking about Domhnall Gleeson?’: Irish actor wins first Hollywood award
CourtsPlace: DublinPlace: San FranciscoOrganisation: DropboxOrganisation: IntralinksOrganisation: box
<p> The LÉ William Butler Yeats — its crew members spotted the drone incursion after Ukrainian president Volodymyr Zelenskyy’s plane landed in Dublin on December 1. File picture: Dan Linehan</p>

'Russia was behind drone incursion during Zelenskyy visit' say Irish security sources

READ NOW

Lunchtime News

Newsletter

Keep up with stories of the day with our lunchtime news wrap and important breaking news alerts.

Latest

Most Read

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

© Examiner Echo Group Limited