During analysis of its Google Adwords campaigns last November, rival file-sharing service Intralinks found that a number of Dropbox ‘share’ links (which are intended for a limited audience) may be disclosed to third-parties. In fact, sensitive files, such as mortgage records, have been found using these public links. Dropbox denied the issue at the time.
Now however, the service has now disabled access and said that it will be implementing a patch to prevent shared links from being exposed from now on—thus admitting that the vulnerability was very real.
This problem may be soon-to-be patched, but the lesson for users is the same: be aware of what is being shared in the cloud using consumer-grade applications—many of which don’t have appropriate levels of security for corporate use.
The latest European Cloud Adoption and Risk report from Skyhigh Networks, a cloud visibility company that evaluates and ranks the security credentials of services like Box, Dropbox and Intralinks, found that only 9% of the cloud services in use provide enterprise-grade security capabilities, while the remaining 91% pose medium to high security risks. Only 1% of the cloud services in use offer both enterprise-grade security capabilities and store data within Europe’s jurisdictional boundaries, while the remaining 99% store data where data privacy laws are less stringent, creating data privacy and data residency concerns.
“This story serves as further proof, as if it were needed, that businesses need to be better aware of their risk profile when it comes to sensitive data and cloud security – as these kinds of files should never be made available to the public,” said Charlie Howe, EMEA director for Skyhigh Networks, in an email.
He added, “If a business is sharing confidential information such as mortgage records, is using cloud services and cannot guarantee that it is protecting this data from unauthorized access, it really doesn’t have a grip on its IT security, or the cloud for that matter.”
Skyhigh found that Box does in fact have a number of settings that would eliminate this specific vulnerability, as does Dropbox for Business – however, the free version of Dropbox does not. Yet, in its report, it discovered that Dropbox is one of the most popular cloud services in use in the UK. Dropbox for Business on the other hand has yet to register on the top 10 list.
“The fact that businesses still use free file-sharing applications when secure, enterprise-ready alternatives exist really beggars belief,” Howe said. “The companies most affected by this vulnerability will be those with poor visibility into how sensitive content is shared in the cloud. Modern enterprises should consider careful and diligent cloud service monitoring as a necessity in today’s IT security climate. Those which don’t will continue to find their data, their reputation and their business exposed.”
For instance, the free version of Dropbox has a loophole that users should be aware of: if a user enters a shared link into a search engine, it becomes discoverable, and the search engine can pass that link on to ad partners.
“This is well known and we don’t consider it a vulnerability,” the company said in the blog. “We urge everyone to be careful about providing shared links to third parties like search engines.”
As far as the other flaw, Dropbox said that in addition to disabling the share function for now until the patch becomes available, it is working to restore links that aren’t susceptible to the vulnerability. In the meantime, as a workaround, users can re-create any shared links that have been turned off.