Everything from tax returns to mortgage applications, bank information and personal photos are inadvertently being leaked online by users of cloud storage services such as Dropbox and Box.
The revelation has come from rival cloud storage company Intralinks which has discovered that a flaw in the sharing system employed by Dropbox and Box means that links shared with specific people are easily accessible by third-parties.
Users who want to share a file - such as a document or photo - through these services typically sends a public link to the person or persons they want to share the file with.
The problem is that the person receiving the link can access the file without any need to authenticate themselves or even be a registered user of the service.
Dropbox has admitted that "shared links to documents can be inadvertently disclosed to unintended recipients" in the following scenario:
- A user shares a link to a document that contains a hyperlink to a third-party website
- The user, or an authorised recipient of the link, clicks on a hyperlink in the document.
- At that point, the referrer header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
The company has temporarily disabled this feature as a precaution, saying on its blog:
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments."
Box says it has not observed any abuse of its open links, including by referrer headers, but it is "exploring ways to limit any exposure". It recommends customers use its "broad array of permissions settings to mitigate any potential issues."
The security flaw was first discovered by Intralinks when it was analysing web traffic to its own website.
The company - like most online companies - runs ads on Google which show up when people type in the name of their competitors.
For example when people search for Dropbox or Box, they will be presented with ads for Intralinks - and vice versa.
"During a routine analysis of Google AdWords and Google Analytics data mentioning competitors' names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data," the company said on a blog post
Richard Anstey, Intralinks's CTO for the EMEA region said the company was able to access a number large number of files (one of which can be seen on the left) from these shared links: "In one case, corporate information including a business plan was uncovered. We also found evidence that many people are mingling their personal and professional files, potentially presenting privacy and security concerns for organisations."
While Dropbox has now disabled the feature, security expert Graham Cluley has given some advice for users of both Dropbox and Box to prevent the inadvertent leaking of sensitive data.
Box users he said should be aware that it is possible on both personal and business accounts "to prevent unauthorised access via Share Links. But these options are not enabled by default."
Dropbox has no such facility for free accounts, though for Business account holders there is a security setting available to restrict access to Share Links.
Finally, Cluley says that people using both services should "delete or disable Share Links after they are no longer required."