Dropbox resets shared links over ‘security flaw’

Dropbox has reset all links users have shared after it was found that links to shared files could be leaked unintentionally. The storage service did not consider referer headers. This allowed linked sites to find out the URLs of files.

A link to a file shared on Dropbox could be leaked to a linked site because browsers send a referer header to linked sites, allowing that site to see which URL the user came from. Dropbox had not taken this into account and has now invalidated all shared links to documents that may contain links as a precaution. Links to images are therefore still accessible, but those to a PDF, for example, not.

There is no longer a security risk for all new links, according to Dropbox. It appears that the cloud storage service has solved the security problem by forcing users to save files locally before they can be accessed. Incidentally, the issue has not been resolved for files located in Dropbox users’ “Public” folder; those links have not been reset and users should still be aware of the referer ‘problem’ there.

The problem was discovered by Intralinks, a competitor of Dropbox. The cloud storage service Box.net is also affected by the referer problem, but as far as is known, that company has not yet rolled out a solution.