Dropbox stumbles over security and privacy of secret links

Filed Under: Cryptography, Featured, Privacy

shutterstock_womandroppingbox170Let me start out by saying that I am not foolish enough to believe in the tooth fairy, Sasquatch (aka Big Foot) nor secret links.

Surprisingly, the latest installment in the Dropbox story involves these so-called secret links (you thought I was going to say Sasquatch again, didn't you?).

The flaw involved uploading a document to Dropbox that contained links and then sharing the document with a friend.

If you shared the "encrypted" document with a friend using the "secret" URL and your friend clicked on a link in that document, you would leak the "secret" URL to the site hosting the link and anyone else observing your traffic (for non-HTTPs links).

In a blog posted on 5 May, Dropbox claims to have fixed the flaw without providing any detail as to how they went about resolving the issue.

It is surprising to me that organizations like Dropbox seem to think that it is safe to store documents on their service and share them using a secret URL.

Are we really supposed to believe our data is protected and that no one will discover our magic link?

Dropbox security issues aren't really anything new. A few years ago it was shown that you could grab a file from a Dropbox user's PC and use it to access their files without authentication.

Later it turns out a Dropbox employee was compromised leading to a bunch of Dropbox users' email addresses being leaked.

Last month Dropbox caused a bit of a stir when a user attempting to share some copyrighted material with a friend received a DMCA block notification.

If Dropbox is encrypting your content, how can it tell you are a movie pirate? It's simple. It has the keys.

The reality is that if you upload data to the cloud and you haven't encrypted it with your own keys, you are at the mercy of whoever does hold the keys.

The best approach to data security is to trust no one. Most of us aren't willing to give up the convenience of the cloud, but that doesn't mean we live by the motto "In cloud we trust."

You might say I am biased, but my preferred solution is SafeGuard Encryption for Cloud Storage and Sophos Mobile Encryption.

This way I get to safely use Dropbox, Box.com, Egnyte and others directly from my PC and my mobile device.

The important thing is to encrypt your files and backups before they are sent to the cloud, not that you must use Sophos products to do it (although we sure do like it when you do).

As reported by Graham Cluley, Dropbox first heard about the flaw in late November 2013 but sat on it for months until the media showed an interest and the issue was promptly fixed.

So, as usual it is often best to do the job yourself if you want to be sure it has been done correctly.

Image of woman dropping boxes courtesy of Shutterstock.

, , , , ,

You might like

9 Responses to Dropbox stumbles over security and privacy of secret links

  1. rakso75 · 136 days ago

    I never really understood that of "secret link". I mean, if there is a link that anybody can receive, paste in a browser, and get to a resource, where is the secrecy?

    The link can be more or less known, announced, publicized... but secret?

  2. Deramin · 136 days ago

    Psst, don't tell anyone about it, but this is a secret comment.

  3. LindaB · 136 days ago

    Best way to solve these riddles is not to use the cloud - ever. No cloud, no related insecurity - and all you files right there on your device all the time!

    You want to access those files from different devices? Then sync them at home/office without them ever leaving your fingertip control.

  4. Thanks for the article. I certainly agree with "The important thing is to encrypt your files and backups before they are sent to the cloud."

  5. Great suggestion. Encrypting your files before uploading them is an excellent way to secure your data in the wild wild west of the internet. If at all possible, I would also suggest purchasing a personal external cloud drive,(ex. WD My Cloud) that can be accessed via Ethernet connection anywhere as an even more secure option for sharing.

  6. Seriously - HTTP referrer logs? Yeesh.

  7. Interesting view, but I believe you are misinterpreting what the real issues are:

    1) You really can't trust cloud providers, adding authentication does not change that, in fact adding authentication only increases the difficulty of decoupling confidentiality from the dependence on cloud providers.
    2) Your PC most likely does not grant sufficient privacy to any of your applications, including your browser and including your mail client and encryption/decryption software in order for it to securely communicate secret links.
    3) Unless the cloud provider generated the secret key, the cloud provider does not need to be sent the full secret link on access. The challenge would than be making sure that the server provider client executed JavaScript does not or can not share the decryption key with the server.

    Now the interesting part, both one and two can actually be solved with the same access control paradigm that brought us secret links in the first place.

    Number 3 probably can't be solved with secret link like technology, but this might be a place where today AV vendors could play a major role as it would require the application of some of the techniques used in current day AV products that wide spread and multigranular use of what effectively are secret links would make deprecated ;-)

    • Minor mistake in my reply: 2) 'securely communicate' should be 'securely store communicated'.

  8. Even though I have deleted many of my unwanted transferred files, Dropbox is saying I'm full and wants me to buy more space. Is this correct or am I being scammed?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.