In a blog post early Tuesday morning, Dropbox revealed a vulnerability with its shared links. The popular cloud storage company said that shared links to some documents could be unintentionally revealed to “unintended recipients.” Thankfully, Dropbox says it doesn’t think the vulnerability has been exploited, and it has already been addressed.
Here’s how it works:
When you visit any link on the web, the website you visit is able to track where you came from using what is called a referer header. So if you visit amazon.com from twitter.com, the referer header will let Amazon know that you came from Twitter.
This affects shared links to documents on Dropbox because if someone visits a website from a hyperlink in a shared document, that website was able to see the URL for the shared document.
Typically, the URL of a shared link to a document on Dropbox is a long string of random characters, which effectively makes the document private to those who have been given the shared link. But in the case of this vulnerability, websites visited from clicks within a shared document were able to see the full private URL for the shared document in the referer header.
Dropbox says it has already patched the vulnerability and has disabled any shared links that are affected. It will restore these links once it determines they are safe, and in the meantime, users can re-create shared links for any documents that have had their shared links disabled. Since it has patched the vulnerability, any new shared links will not be affected by this vulnerability.
Dropbox for Business customers were not affected if they restricted access to shared links to only their team members.