Dropbox has disabled access to shared links after detecting a security flaw in the service. The vulnerability was discovered by file-sharing company IntraLinks.
"During a routine analysis of Google AdWords and Google Analytics data mentioning competitors' names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data. Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans-all highly sensitive information, some perhaps sufficient for identity theft and other crimes," wrote Intralinks, as quoted Ars Technica.
Dropbox was not aware of the security issue at the time, but the company has since posted a notice to its users on its blog. Dropbox users can share links to anything in their Dropbox, and files shared through these links are only visible to the people they've been directly sent. However, the company also emphasized the possibility that shared links to documents became accessible even to those who were not supposed to have access.
There are a couple of specific scenarios for this unintentional document exposure. One states that when a Dropbox user shares a link to a document that has a hyperlink to a third-party website - as soon as the recipient clicks the link in the document, the third-party website becomes exposed to the original shared link through a referrer header. Anyone who has access to a third-party website, especially the header, would then be able to access the link on the shared document.
Another theory posits users' pasting shared links in a search engine box will pass the information to the ad partners of the search engine box.
Dropbox is urging its customers to be cautious when providing shared links to third parties in general to secure confidential data. It has also temporarily disabled the access for previously shared links to documents. Dropbox Business accounts were also advised to restrict access of shared links among their team members only.