{"id":16763,"date":"2014-05-06T10:33:24","date_gmt":"2014-05-06T10:33:24","guid":{"rendered":"http:\/\/4cd.e16.myftpupload.com\/?p=16763"},"modified":"2014-05-06T10:33:24","modified_gmt":"2014-05-06T10:33:24","slug":"warning-over-unintentional-file-leak-from-storage-sites","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/?p=16763","title":{"rendered":"Warning over unintentional file leak from storage sites"},"content":{"rendered":"<p>People using file storage services, such as Dropbox and Box, are being warned that they are at risk of inadvertently leaking their own files.<\/p>\n<p>Intralinks &#8211; which is a competitor &#8211; said it found sensitive files, such as mortgage records.<\/p>\n<p>The problem centred on the use of the services&#8217; sharing function that generated a public link.<\/p>\n<p>As a precaution, Dropbox has disabled access to links that have been previously shared.<\/p>\n<p>It said it had also implemented a patch to prevent shared links from being exposed from now on.<\/p>\n<p>&#8220;We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We&#8217;ll continue working hard to make sure your stuff is safe and keep you updated on any new developments,&#8221;the company said in a blog.<a href=\"https:\/\/blog.dropbox.com\/2014\/05\/web-vulnerability-affecting-shared-links\/\"><br \/>\n<\/a><\/p>\n<p>&#8220;We&#8217;re working to restore links that aren&#8217;t susceptible to this vulnerability over the next few days.&#8221;<\/p>\n<p>Box has not responded to the BBC&#8217;s request for a comment.<\/p>\n<p>Security researcher Graham Cluley said identity thieves could use the method to &#8220;scoop up&#8221; data.<\/p>\n<p>&#8220;I think these services need to be more upfront with warnings,&#8221; he told the BBC.<\/p>\n<p>However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.<\/p>\n<p><b>Referral data<\/b><\/p>\n<p>Mr Cluley has outlined suggestions\u00a0on his blog for how users can restrict access to the public files.<\/p>\n<p>Both websites offer ways to tighten security on shared links, but doing so limits flexibility.<\/p>\n<p>&#8220;This is the eternal battle sites like this face,&#8221; Mr Cluley added. &#8220;It&#8217;s security versus functionality.&#8221;<\/p>\n<p>Box is another highly successful file storage service<\/p>\n<p>Dropbox, Box and most other cloud hosting services often give users the option of creating a shareable web link for their files.<\/p>\n<p>It means users are able to simply send a web address &#8211; made up of a string of letters and numbers &#8211; for someone to directly download a file without needing to log in.<\/p>\n<p>Because of the complexity of the link, it is very difficult to guess &#8211; meaning that while the link is technically public, it is unlikely anyone would be able to access it by chance.<\/p>\n<p>However, Intralinks discovered that the links were being exposed in two ways not previously considered.<\/p>\n<p>Firstly, it discovered that shared links were often appearing in websites&#8217; referral data.<\/p>\n<p>Many websites look at referral data when analysing their traffic to get an insight into how visitors got to their site.<\/p>\n<p>Intralinks found that if a link to a website is included in a file shared on Dropbox, and subsequently clicked within the web viewer, the website owner would see the shared link in its referral data &#8211; and therefore be able to access the file.<\/p>\n<p>Dropbox said its patch has now fixed the problem.<\/p>\n<p><b>Google ads<\/b><\/p>\n<p>Furthermore, the company had been running a Google advertising campaign, and had paid to have an advert for Intralinks appear in Google&#8217;s search results whenever someone searched for &#8220;Dropbox&#8221; or &#8220;Box&#8221;.<\/p>\n<p>Companies that use Google&#8217;s search advertising service are sent an anonymised breakdown of what users had searched for in order to find their advertising.<\/p>\n<p>Intralinks found that many people would put the entire shared link into a Google search box, and therefore Intralinks would subsequently see those links in the breakdown data from Google.<\/p>\n<p>While copying and pasting a download link into Google&#8217;s search engine might appear to be odd behaviour, Intralinks said &#8220;a few hundred documents&#8221; were exposed to them in this way.<\/p>\n<p>Dropbox&#8217;s patch has not addressed this particular problem, Mr Cluley said.<\/p>\n<p>Intralink&#8217;s chief technology officer for Europe, Middle East and Africa Richard Anstey said: &#8220;Most internet users have, at one time or another, accidentally pasted a link into the search bar of their favourite search engine whilst intending to paste it into the internet address bar &#8211; it&#8217;s an easy mistake to make.<\/p>\n<p>&#8220;However, what they don&#8217;t realise is that when they press enter to execute the search, the advertisement engines that drive (and fund) the search engine will distribute that link as a search term to anyone who has paid for an &#8216;adword&#8217; that closely matches any part of that link.&#8221;<\/p>\n<p>&nbsp;<\/p>\n<p>Source: BBC<\/p>\n","protected":false},"excerpt":{"rendered":"<p>People using file storage services, such as Dropbox and Box, are being warned that they are at risk of inadvertently leaking their own files. Intralinks &#8211; which is a competitor &#8211; said it found sensitive files, such as mortgage records. The problem centred on the use of the services&#8217; sharing function that generated a public [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":16764,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jnews-multi-image_gallery":[],"jnews_single_post":[],"jnews_primary_category":[],"jnews_social_meta":[],"jnews_override_counter":[],"footnotes":""},"categories":[],"tags":[18],"class_list":["post-16763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-dr-akwasi-osei"],"_links":{"self":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/16763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16763"}],"version-history":[{"count":0,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/16763\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/media\/16764"}],"wp:attachment":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}