Dropbox patches shared links security flaw

Dropbox has now patched a security vulnerability which could give third parties access to server data without authorization.


Dropbox has fixed a security vulnerability based on the sharing of user links to files in order to stop third parties from accessing data without consent.

The cloud storage company revealed in a blog post that a weakness based on referer headers could be exploited to expose information. A referer header is a protocol that lets a site learn where you've come from when you are browsing the Web, and the feature allows websites to understand traffic sources — whether you visit a site from a search engine, bookmark, or another website. However, in the following scene, this feature could be exploited via Dropbox to steal data:

  • A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
  • The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
  • The referer header discloses the original shared link to the third-party website.
  • Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

Dropbox says no data theft due to the flaw has been reported.

Users do not need to take any further action, and Dropbox says that for previously shared links to documents, access has been disabled entirely "until further notice." The company hopes to lift this restriction and restore links not susceptible to this security flaw within the next few days.

As a workaround until access is restored, users can re-create links which have been disabled, which will be protected from the vulnerability in the same manner as any new shared links created going forward. Dropbox for Business users, who have the option of restricting shared link access to people in Dropbox for Business teams, are not affected by the flaw.

Show Comments