Dropbox plugs link leak vulnerability

Dropbox claims it has patched a vulnerability that could disclose links to users' shared documents through a commonly used website feature, and says it is not aware of the security hole having been exploited.

On the company's blog, Dropbox vice president of engineering Aditya Agarwal explained that shared links to documents can be inadvertently disclosed through referer headers, a feature used by websites to track where visitors have navigated from.

This means that those with access to referer header information can see links to shared documents on Dropbox, if these have links to websites and users click on them.

Dropbox has patched the vulnerability for new shared links, Agarwal said, and has disabled access to previously shared links. He added that Dropbox is working to restore links that aren't susceptible to the vulnerability.

Agarwal was at pains to point out that Dropbox is unaware of any actual instances of abuse of the vulnerability and explained its business product has the ability to restrict shared link access to specific teams, which mitigates the problem.

He also argued that a second issue, discovered by enterprise collaboration company Intralinks, isn't actually a Dropbox vulnerability.

The problem occurs when users enter shared links to Dropbox documents into search engines.

Intralinks said it found links to documents containing sensitive personal information by accident when it analysed Google AdWords and Analytics data that mentioned competitors Dropbox and Box. 

The documents included people's tax returns, bank records, mortgage applications, business plans and more - information that Intralink's chief security officer John Landy said is "perhaps sufficient for identity theft and other crimes".

Agarwal said this issue is well-known and urged users to be careful when providing shared links to third parties such as search engines, so as not to disclose sensitiive information inadvertently.