Welcome to the new ZDNet! Give feedback or learn more about our updated design here. Or, return to the classic view.

Dropbox patches shared links security flaw

Dropbox has now patched a security vulnerability which could give third parties access to server data without authorization.

it-security

Dropbox has fixed a security vulnerability based on the sharing of user links to files in order to stop third parties from accessing data without consent.

The cloud storage company revealed in a blog post that a weakness based on referer headers could be exploited to expose information. A referer header is a protocol that lets a site learn where you've come from when you are browsing the Web, and the feature allows websites to understand traffic sources — whether you visit a site from a search engine, bookmark, or another website. However, in the following scene, this feature could be exploited via Dropbox to steal data:

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
  • The referer header discloses the original shared link to the third-party website.
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

Dropbox says no data theft due to the flaw has been reported.

Must See Gallery

Seven great smartphones you can't buy in the US

The US has no shortage of attractive smartphones at the moment, from cheap-but-featured packed Androids to the latest flagships from the big names. But not all the best devices are available Stateside. Here are some of the best handsets that are just out of reach for Americans.

Users do not need to take any further action, and Dropbox says that for previously shared links to documents, access has been disabled entirely "until further notice." The company hopes to lift this restriction and restore links not susceptible to this security flaw within the next few days.

As a workaround until access is restored, users can re-create links which have been disabled, which will be protected from the vulnerability in the same manner as any new shared links created going forward. Dropbox for Business users, who have the option of restricting shared link access to people in Dropbox for Business teams, are not affected by the flaw.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All