CLOUD FILE STORAGE users are inadvertently exposing their personal data to all and sundry due to a security flaw in public link URLs.
Enterprise collaboration company Intralinks has gleefully reported the discovery made by its team during a "routine analysis of Google Adwords and Google Analytics data".
Hidden within the links were direct public URLs to documents in Dropbox and Box that could be clicked through, and in turn lead to the folder content pages, allowing any visitor full folder access.
The company claimed it found tax returns, bank records, mortgage applications, blueprints and business plans, some of which it said were "perhaps sufficient for identity theft".
The blog went on to offer advice on how to protect your cloud data, surrounded by adverts for its own services, but the discovery and point were valid to the point that, after it was posted, Dropbox responded on its own blog.
Under the heading "Web vulnerability affecting shared links" the company explained that while it wasn't aware of the exploit being used, it has taken the precaution of disabling all historic URLs to Dropbox files until a fix can be rolled out. New links will automatically contain the fix from now on.
Box has responded, too. A spokesperson told The INQIURER, "We haven't noticed any abuse of Box open links, including by referrer headers, but are exploring ways to limit any exposure.
"We recommend customers use our broad array of permissions settings to mitigate any potential issues. Secure content sharing is core to Box, and we've invested a lot of energy in our security model around shared links. Because every user and customer have different sharing needs, we provide the broadest array of options to make it easy to share content with settings that are as open or as restrictive as needed.
"When a user generates an open shared link, we display a warning message to help them understand the permissions for that content. We also present several options to help users manage access to their content (for example, links can be password protected or assigned expiration dates).
"In addition, company admins can ensure organization-wide secure sharing by setting shared link defaults to company-only or collaborator-only (people in the same shared folder)." µ
Sign up for INQbot – a weekly roundup of the best from the INQ