The cloud storage company Dropbox has announced a security flaw based on shared links to files containing hyperlinks. The flaw allows third parties to be able to access information without your consent.
The security flaw involves refer headers, which is how websites learn where the visitor of the site has come from in order to better understand traffic sources. This is the standard process for all web browsers, and in itself in regards to a web site is not an issue. The problem comes in when you or someone else shares your link to your file on another website. At this point someone with access to this website could exploit this feature and gain access to information you did not intend to share with just anyone.
Dropbox shows the following scenario from their blog posting on how this could play out.
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
- At that point, the referer header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
Dropbox reports that they are unaware of any abuse of this vulnerability, however they have taken steps to ensure this vulnerability can not be exploited.
All previously shared links to documents have been disabled until further notice, and Dropbox will be restoring the links that are not effected by this vulnerability over the next few days. As a work around you can re-create any shared links that have been turned off, as all new shared links going forward have been patched. Dropbox for business customers that use the option to restrict shared link access where not affected by this security flaw.