On May 5th, Dropbox released a statement regarding a vulnerability affecting shared links. Sensitive data is made vulnerable through the following process:
- A Dropbox user posts a document that has a link to an external website.
- The user shares a public link to that document with someone.
- Someone visits the public link, and while viewing the document in the web viewer, clicks the link the the external website
- A site manager of the external website views who has been visiting their site through the use of a referrer header, and sees that the user visited to their site through the via the dropbox public link.
Dropbox has since released a patch to address the problem and has deactivated already-affected links. Another “vulnerability” reported by Intralinks has to do with other Adwords data. Essentially, some Dropbox users have been pasting entire public links into the Google search bar, and Adwords users that have keywords closely related to a portion of the URL are able to see the specific URL in their metrics data. Dropbox doesn’t consider this a vulnerability. While it may not have been predictable, it is due to an unavoidable user error. Pasting a shared link into the search bar is no different than someone making the link publicly known through Facebook or a blog. If a user of any cloud platform intends to utilize public link functionality, they must be aware of other users’ ability to make the link truly public to anyone and everyone.
Keeping sensitive files confidential is CapLinked’s #1 priority. CapLinked does offer public share links, but it is on the workspace level. That is, CapLinked does not feature share links to specific documents. Everyone on a “public” CapLinked workspace will know immediately that it is indeed public and understand potential risks. Furthermore, the ability to use public share links must be activated by CapLinked personnel, which means that our clients will be completely cognizant of the shareability and associated risks. Learn more about CapLinked’s security measures on our security page.