- Feb 7, 2014
- 1,540
Do you use Dropbox or Box to backup your most important files and share them with your co-workers or friends? If so, you might just be sharing them with somebody else you’ve never even met.
Intralinks discovers sharelink disclosure vulnerability in Dropbox and Box
A recent report from Intralinks – a cloud storage service provider and a direct competitor of both Dropbox and Box – details how the company found a sharelink disclosure vulnerability in both Dropbox.com and Box.com.
It works like this:
When creating Google Ad campaigns, web competitors utilize one another’s company names as keywords. So, for example, if you the consumer were interested in purchasing cloud storage and sharing services from Dropbox and went online and Googled “Dropbox,” you would be presented with a direct link to Dropbox.com, alongside advertising links from its competitors, Box and Intralinks. If for whatever reason one of those competitor’s ad links caught your eye and you clicked on it, that competitor would be able to look at its Google Ad campaign metrics and see that the keyword “Dropbox” led you to their website.
This is all and well; HOWEVER, when analyzing their latest Google Ad campaign metrics, Intralinks noticed something quite peculiar. In addition to competitor company name keywords and other common search phrases, they found direct sharelinks to sensitive documents hosted on Dropbox.com and Box.com acting as referral search terms to their website.
When they pasted these sharelinks into their web browser’s navigation bar, Intralinks employees were granted direct access to individual Dropbox/Box user files. According to a statement from Intralinks’ CTO, Richard Anstey, files included “several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was [also] uncovered.”
Intralinks discovers sharelink disclosure vulnerability in Dropbox and Box
A recent report from Intralinks – a cloud storage service provider and a direct competitor of both Dropbox and Box – details how the company found a sharelink disclosure vulnerability in both Dropbox.com and Box.com.
It works like this:
When creating Google Ad campaigns, web competitors utilize one another’s company names as keywords. So, for example, if you the consumer were interested in purchasing cloud storage and sharing services from Dropbox and went online and Googled “Dropbox,” you would be presented with a direct link to Dropbox.com, alongside advertising links from its competitors, Box and Intralinks. If for whatever reason one of those competitor’s ad links caught your eye and you clicked on it, that competitor would be able to look at its Google Ad campaign metrics and see that the keyword “Dropbox” led you to their website.
This is all and well; HOWEVER, when analyzing their latest Google Ad campaign metrics, Intralinks noticed something quite peculiar. In addition to competitor company name keywords and other common search phrases, they found direct sharelinks to sensitive documents hosted on Dropbox.com and Box.com acting as referral search terms to their website.
When they pasted these sharelinks into their web browser’s navigation bar, Intralinks employees were granted direct access to individual Dropbox/Box user files. According to a statement from Intralinks’ CTO, Richard Anstey, files included “several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was [also] uncovered.”
