- dotTech - http://dottech.org -

Dropbox Security Flaw: Files outside of the “Public” and “Photos” folder can be accessed by others

My oh my. Dropbox has been in the news recently for privacy/security concerns [1]. It appears I may have stumbled upon another security flaw.

All Dropbox accounts have a Photos and Public folder. Files in the Photos and Public folder can be shared with others. According to Dropbox [2], no files outside of the Photos and Public folder can be accessed (or shared) by others unless you specifically create a “shared folder” and share that folder with other Dropbox users:

All files outside of your Dropbox Public and Photos folders are private and only accessible to you, unless you deliberately share them with other people by creating a shared folder.

Turns out this statement is not true. While reviewing the Dropbox app for the Best Free Cloud Storage App for Android [3] article, I discovered files (and folders) outside of the Public and Photos can be shared with others through the Dropbox Android app: Simply long-tap on a file or folder, click Share, and generate a direct download link. Anyone that visits the direct download link can download the file/folder. (Note: The files and folders in question are not in any shared folder nor are they in the Public or Photos folders. They are files that should be “private”.) Since files outside of the Public and Photos folder can be shared via a direct download link, it brings up the question of if and how these files are accessible by people than yourself.

Interestingly enough, this same thing cannot be done via Dropbox’s website*. I cannot generate public links for files or folders outside of the Public and Photos folder when logged in to Dropbox’s website. I think I may have found another Dropbox security flaw.

*Update: To clarify, my account does not have the sharable model feature (mentioned at https://www.dropbox.com/help/167 [4]) enabled. In other words, I have not enabled the feature on my account that allows users to share all files and folders yet I am still able to do so.