My oh my. Dropbox has been in the news recently for privacy/security concerns. It appears I may have stumbled upon another security flaw.
All Dropbox accounts have a Photos and Public folder. Files in the Photos and Public folder can be shared with others. According to Dropbox, no files outside of the Photos and Public folder can be accessed (or shared) by others unless you specifically create a "shared folder" and share that folder with other Dropbox users:
All files outside of your Dropbox Public and Photos folders are private and only accessible to you, unless you deliberately share them with other people by creating a shared folder.
Turns out this statement is not true. While reviewing the Dropbox app for the Best Free Cloud Storage App for Android article, I discovered files (and folders) outside of the Public and Photos can be shared with others through the Dropbox Android app: Simply long-tap on a file or folder, click Share, and generate a direct download link. Anyone that visits the direct download link can download the file/folder. (Note: The files and folders in question are not in any shared folder nor are they in the Public or Photos folders. They are files that should be "private".) Since files outside of the Public and Photos folder can be shared via a direct download link, it brings up the question of if and how these files are accessible by people than yourself.
Interestingly enough, this same thing cannot be done via Dropbox's website*. I cannot generate public links for files or folders outside of the Public and Photos folder when logged in to Dropbox's website. I think I may have found another Dropbox security flaw.
*Update: To clarify, my account does not have the sharable model feature (mentioned at https://www.dropbox.com/help/167) enabled. In other words, I have not enabled the feature on my account that allows users to share all files and folders yet I am still able to do so.
/discuss
10 Comments
Accuse me, it’s not new at all, this feature is old. It’s called: “shareable link”
The feature is a little bit hidden but here you have an explanation on it:
https://www.dropbox.com/help/167
Good day
@miky: Your comment would make sense if I had the shareable model feature enabled on my account. I don’t. I shouldn’t be allowed to do this.
I quit some time ago. Just get a thumb drive and encrypt it. Never mind the clouds.
I never liked dropbox anyway. I DO like Zumo-drive. See it as a free online USB drive… Secure cloud, if only by obscurity – and zumo really is the most convenient program out there…
Get it here? https://www.zumodrive.com/referrals/dir/23JMGM4Mm
Greetz Chi.
Pretty good article on Windows Secrets today concerning Dropbox.
http://windowssecrets.com/newsletter/re-examining-dropbox-and-its-alternatives/
And as usual, I go to wikipedia for a chart to help pick an online backup service:
http://en.wikipedia.org/wiki/List_of_online_backup_services
I use Linux and sometimes Windows, so I need a cross-platform service (Ubuntu One, Spideroak, Dropbox).
Sure, there are uses for thumb drives, but there’s uses for the cloud too. Sometimes you need to share with others, sometimes you backup, sometimes you need to sneakernet across the room, sometimes you can’t get on the net and you need a thumb drive in your pocket.
Miki said we should “accuse” him.
I agree, I accuse him of making an incorrect posting.
Let the jury decide!
When I signed up for Dropbox I remember reading that you can generate a link to any file in any Dropbox folder and send it to some one who can then download that file via that link. It is a way to share files with people who don’t use Dropbox. My mom does not have Dropbox, so lets say that i want to share a video file with my mom, but keep it private from everyone else. I put the video in my private folder and generate a link for her, so only she can download it, as opposed to putting it into a public folder where anyone can get it. I think that is a great feature. Your article title scared me a little cause I love Dropbox, but i feel the feature you are talking about is normal behavior, at least that is how I see it. If you don’t share, don’t generate any any links to share and problem solved. =)
It seems to me that this is more of a flaw in the android program for dropbox rather than a security flaw. As this option should be disabled in the android app if you have it disabled on your account. Also I don’t see it as much of a security issue since you have to create the link before anyone can use it.
Dropbox Enterprise File Transfer from Thru is the secure solution for businesses and enterprises. Their solutions have been working for large businesses for ten years without a single security breach.
http://www.thruinc.com/solutions/dropbox-enterprise-file-transfer/
http://www.thruinc.com/products-services/managed-file-transfer/
Consumer dropbox solutions are convenient but lack necessary security for businesses and enterprises. Michael Osterman, President of Osterman Research, discusses this topic.
http://www.thruinc.com/resources/news-room/041912_webcast/