Dropbox patches shared links security flaw

Summary:Dropbox has now patched a security vulnerability which could give third parties access to server data without authorization.


Dropbox has fixed a security vulnerability based on the sharing of user links to files in order to stop third parties from accessing data without consent.

The cloud storage company revealed in a blog post that a weakness based on referer headers could be exploited to expose information. A referer header is a protocol that lets a site learn where you've come from when you are browsing the Web, and the feature allows websites to understand traffic sources — whether you visit a site from a search engine, bookmark, or another website. However, in the following scene, this feature could be exploited via Dropbox to steal data:

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
  • The referer header discloses the original shared link to the third-party website.
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

Dropbox says no data theft due to the flaw has been reported.

Must See Gallery

Honda ASIMO in photos: The pioneering humanoid robot makes more progress

For people who are into robots, Honda's ASIMO is a rockstar. ZDNet recently got a look at ASIMO's latest capabilities and pulled together photos of ASIMO's larger journey.

Users do not need to take any further action, and Dropbox says that for previously shared links to documents, access has been disabled entirely "until further notice." The company hopes to lift this restriction and restore links not susceptible to this security flaw within the next few days.

As a workaround until access is restored, users can re-create links which have been disabled, which will be protected from the vulnerability in the same manner as any new shared links created going forward. Dropbox for Business users, who have the option of restricting shared link access to people in Dropbox for Business teams, are not affected by the flaw.

Topics: Security, Cloud, Storage


Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.