Dropbox stumbles over security and privacy of secret links


shutterstock_womandroppingbox170Let me start out by saying that I am not foolish enough to believe in the tooth fairy, Sasquatch (aka Big Foot) nor secret links.

Surprisingly, the latest installment in the Dropbox story involves these so-called secret links (you thought I was going to say Sasquatch again, didn’t you?).

The flaw involved uploading a document to Dropbox that contained links and then sharing the document with a friend.

If you shared the “encrypted” document with a friend using the “secret” URL and your friend clicked on a link in that document, you would leak the “secret” URL to the site hosting the link and anyone else observing your traffic (for non-HTTPs links).

In a blog posted on 5 May, Dropbox claims to have fixed the flaw without providing any detail as to how they went about resolving the issue.

It is surprising to me that organizations like Dropbox seem to think that it is safe to store documents on their service and share them using a secret URL.

Are we really supposed to believe our data is protected and that no one will discover our magic link?

Dropbox security issues aren’t really anything new. A few years ago it was shown that you could grab a file from a Dropbox user’s PC and use it to access their files without authentication.

Later it turns out a Dropbox employee was compromised leading to a bunch of Dropbox users’ email addresses being leaked.

Last month Dropbox caused a bit of a stir when a user attempting to share some copyrighted material with a friend received a DMCA block notification.

If Dropbox is encrypting your content, how can it tell you are a movie pirate? It’s simple. It has the keys.

The reality is that if you upload data to the cloud and you haven’t encrypted it with your own keys, you are at the mercy of whoever does hold the keys.

The best approach to data security is to trust no one. Most of us aren’t willing to give up the convenience of the cloud, but that doesn’t mean we live by the motto “In cloud we trust.”

You might say I am biased, but my preferred solution is SafeGuard Encryption for Cloud Storage and Sophos Mobile Encryption.

This way I get to safely use Dropbox, Box.com, Egnyte and others directly from my PC and my mobile device.

The important thing is to encrypt your files and backups before they are sent to the cloud, not that you must use Sophos products to do it (although we sure do like it when you do).

As reported by Graham Cluley, Dropbox first heard about the flaw in late November 2013 but sat on it for months until the media showed an interest and the issue was promptly fixed.

So, as usual it is often best to do the job yourself if you want to be sure it has been done correctly.

Image of woman dropping boxes courtesy of Shutterstock.