Dropbox Security Flaw: Files outside of the “Public” and “Photos” folder can be accessed by others

My oh my. Dropbox has been in the news recently for privacy/security concerns. It appears I may have stumbled upon another security flaw.

All Dropbox accounts have a Photos and Public folder. Files in the Photos and Public folder can be shared with others. According to Dropbox, no files outside of the Photos and Public folder can be accessed (or shared) by others unless you specifically create a “shared folder” and share that folder with other Dropbox users:

All files outside of your Dropbox Public and Photos folders are private and only accessible to you, unless you deliberately share them with other people by creating a shared folder.

Turns out this statement is not true. While reviewing the Dropbox app for the Best Free Cloud Storage App for Android article, I discovered files (and folders) outside of the Public and Photos can be shared with others through the Dropbox Android app: Simply long-tap on a file or folder, click Share, and generate a direct download link. Anyone that visits the direct download link can download the file/folder. (Note: The files and folders in question are not in any shared folder nor are they in the Public or Photos folders. They are files that should be “private”.) Since files outside of the Public and Photos folder can be shared via a direct download link, it brings up the question of if and how these files are accessible by people than yourself.

Interestingly enough, this same thing cannot be done via Dropbox’s website*. I cannot generate public links for files or folders outside of the Public and Photos folder when logged in to Dropbox’s website. I think I may have found another Dropbox security flaw.

*Update: To clarify, my account does not have the sharable model feature (mentioned at https://www.dropbox.com/help/167) enabled. In other words, I have not enabled the feature on my account that allows users to share all files and folders yet I am still able to do so.


Related Posts

  • S

    If I post pictures to a public link in drop box via Facebook can I see whose viewed my photos?

  • Keith

    Thru has an enterprise dropbox that can replace unsecure consumer Dropbox accounts with something that the end users will love and find very convenient.

    My company uses it and it’s great.


  • J

    [@J] [@PJ]

    OMG that happened to me to ! And I use dropbox for a class in University! I was so embarrassed because I hadn’t noticed it was downloaded all my 1000 photos and I quickly deleted them from dropbox. I am also wondering the same as you.

  • J

    OMG that happened to me to ! And I use dropbox for a class in University! I was so embarrassed because I hadn’t noticed it was downloaded all my 1000 photos and I quickly deleted them from dropbox. I am also wondering the same as you.

  • Martino

    I adressed the Legal dept op dropbox. Since this is indeed bizarre! I’m afraid the problem lies within the automatic camera iPhone upload or so.
    Problem is I cannot see it anymore, as my friend immediately removed all dropbox of his devices…

  • @Martino:
    Mr, how can it be? It doesn’t seem reasonable, where did you drop your photos? In what folder? Did you share it with anybody?
    People can’t get to your files without invitation, and even if you make “Shared Link” it’s only can be viewed with the direct link address and can’t be traceable or googled.

  • Martino

    PJ, I had the same. And a friend of me who has also dropbox called today to warn me that he saw all kinds of PRIVATE photo’s of me, when he logged into his dropbox account!!! I do not share any of the pics, but he also had access to private photo’s of colleagues! So there seems to be a big prrivacy issue and I’m afraid people could see your pics.

  • PJ


    It’s slightly off topic, I know, and apologies for this, but I have a question.

    I hadn’t noticed my mobile was synced to Dropbox, and was automatically uploading every photo I took, including some I didn’t particularly want to share (Nothing exciting. Just garbage really).

    When I noticed, I deleted the photos I didn’t want and adjusted the settings on my mobile.

    I am wondering though whether anyone would have had access to the photos I didn’t want to share?

    FYI they were uploaded to a folder called mobile uploads.

    Thanks, and apologies again for the noob question.

  • It seems most of the discussion around Dropbox security is when using the free or Pro version of the product which isn’t meant to be used for sensitive files. Their Teams for Dropbox version has the additional security features that most folks are looking for. But even with this, there are some data processes that should be used only with MFT solutions. If you need help understanding where MFT should be used, take a look at the following article. http://www.goanywheremft.com/resource-center/white-papers

  • See how Thru compares to some other kinds of file transfer methods here:

  • Yes, this is not a safe avenue, especially for businesses. Thru has been doing managed file transfers and dropbox for the enterprise for 10 years without a single security breach. They are a much better choice for the security conscious.

  • TSky

    Consumer dropbox solutions are convenient but lack necessary security for businesses and enterprises. Michael Osterman, President of Osterman Research, discusses this topic.

  • nxb3942

    Dropbox Enterprise File Transfer from Thru is the secure solution for businesses and enterprises. Their solutions have been working for large businesses for ten years without a single security breach.

  • kidinchina

    It seems to me that this is more of a flaw in the android program for dropbox rather than a security flaw. As this option should be disabled in the android app if you have it disabled on your account. Also I don’t see it as much of a security issue since you have to create the link before anyone can use it.

  • newJason

    When I signed up for Dropbox I remember reading that you can generate a link to any file in any Dropbox folder and send it to some one who can then download that file via that link. It is a way to share files with people who don’t use Dropbox. My mom does not have Dropbox, so lets say that i want to share a video file with my mom, but keep it private from everyone else. I put the video in my private folder and generate a link for her, so only she can download it, as opposed to putting it into a public folder where anyone can get it. I think that is a great feature. Your article title scared me a little cause I love Dropbox, but i feel the feature you are talking about is normal behavior, at least that is how I see it. If you don’t share, don’t generate any any links to share and problem solved. =)

  • Tiddles

    Miki said we should “accuse” him.
    I agree, I accuse him of making an incorrect posting.
    Let the jury decide!

  • Jim Van Damme

    Pretty good article on Windows Secrets today concerning Dropbox.

    And as usual, I go to wikipedia for a chart to help pick an online backup service:
    I use Linux and sometimes Windows, so I need a cross-platform service (Ubuntu One, Spideroak, Dropbox).
    Sure, there are uses for thumb drives, but there’s uses for the cloud too. Sometimes you need to share with others, sometimes you backup, sometimes you need to sneakernet across the room, sometimes you can’t get on the net and you need a thumb drive in your pocket.

  • I never liked dropbox anyway. I DO like Zumo-drive. See it as a free online USB drive… Secure cloud, if only by obscurity – and zumo really is the most convenient program out there…

    Get it here? https://www.zumodrive.com/referrals/dir/23JMGM4Mm

    Greetz Chi.

  • Emrys

    I quit some time ago. Just get a thumb drive and encrypt it. Never mind the clouds.

  • Ashraf

    @miky: Your comment would make sense if I had the shareable model feature enabled on my account. I don’t. I shouldn’t be allowed to do this.

  • Accuse me, it’s not new at all, this feature is old. It’s called: “shareable link”
    The feature is a little bit hidden but here you have an explanation on it:

    Good day