File storage service Dropbox has fixed a bug in its application that was ‘leaking’ sensitive personal information inadvertently.
The bug was brought to notice by Dropbox rival Intralinks, which claimed that the bug shared links to access sensitive documents, giving access to live folder contents, including sensitive data.
Intralinks said in a post: "We came across this issue completely by accident while running a competitive Google AdWords campaign."
"File sharing solutions users created share links for their files and entered them in the "search" box instead of the URL box in their web browsers, so our campaign collected the data," it added.
"To be clear, we gained access to files because users of file sharing applications often aren’t taking simple precautions to safeguard their data."
"When used this way, all file-sharing apps are potentially vulnerable. When using file-sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data."
Security expert Graham Cluley said: "The problem lies in Dropbox and Box not requiring users accessing a shared link to authenticate themselves."
Following the revelations, Dropbox has disabled sharing for all users except business users.
Jan Willem Aldershoff from Dropbox said in a post that they were unaware of exploitation of shared files via the bug.
"Once the link is clicked, the webmaster of the third-party website can view the incoming link in e.g. web analytics software."
"The incoming link is the link to the shared file which means it can now also be viewed by the third-party webmaster."
Cluley suggested users to opt for the Business version of Dropbox which has a security setting to restrict access to Share Links.
"Unfortunately, there is no such option for the free version of Dropbox used by the vast majority of the company’s users," Cluley added.
"As a result, the recommendation for Dropbox users has to be to use the Business version of Dropbox rather than the free one if you share sensitive data via the system.
"If you use the free version of Dropbox, you should not use the Share Link facility as it could be leaked to a third party."
