You may, or may not, have read about the recent data leak which has sprung up across the web which involves Dropbox and Box. If you don’t know, Dropbox and Box are two of the world’s largest cloud based file sharing platforms and are used on a daily basis. What’s happened is that supposedly “secure links” to files within the service are not so secure and allow anyone on the web to access them with a simple search.
How does this work?
Well, remember those URL’s you could use for specific files so that only those with a link to that files could access them? Well, it turns out that those sort of links are being grabbed by search engines such as Google, Bing and Yahoo – resulting in unauthorised access to data.
The bots trawl the internet and find links which relate to keywords within the file and URL which is then processed by a complex algorithm before being presented to the end user. Due to this, it allows anyone to search the right key phrases, find sensitive data (Yes, people share sensitive data within these networks) and exploit it in any way they feel fit.
Furthermore, certain keywords from the documents themselves are being picked up too, resulting in accidental leaks of secure documents.
What kind of “Sensitive data” is this?
The sensitive data could be a simple word document belonging to a corporate company or individual bank details that are attached to documents. It might not be expected that people transmit such data over the web but it does occur.
Data can be stolen in the same way a shop can be robbed. You break the glass and get the loot – If applied to the web, you get something along the lines of; Breakdown the datacentre firewall and download the data. From there, just like in the physical world, the stolen items can be distributed and sold on black markets or can be exploited in any way the attacker sees fit.
The scariest part of this is that it isn’t a specific niche of people. It’s widespread to both business and consumer users who regularly upload documents and files to the services.
What action should I take?
Although Dropbox has said the flaw has been patched, we would advise you to be a lot more cautious about what kind of data you transmit over the internet. As most people already know, you wouldn’t willingly give someone your PIN number on the street so why should you do it on the internet? If you are concerned about the data you are sharing then we would advise you to reach for a business level online file sharing solution.
UPDATE: Both Dropbox and Box have fixed the bugs since this post was originally written.