Wednesday, 9 June 2010

Dropbox Security Problem - Data Leakage

Dropbox has an issue with the way it handles link sharing that could potentially lead to data leakage.

The problem is fourfold:
  • Files outside of the Public folder can be shared
  • Shared files leak data about the file structure
  • Deleting and replacing the shared file with another allows the new file to be leaked
  • Shared files can’t be revoked

This security problem is demonstrated below.

First of all I start by creating a file called ‘PrivateFiles’ in the ‘My Dropbox’ folder. I’m going to use this to store my most private of data.

Inside that folder I’ll store ‘MyPrivateFile.txt’:
As you can see, it has some very personal data in it:

I’ve got to use my iPad for the next step, because the PC or Mac client won’t let me share a file from anything other than the Public folder (in fact I’m not sure if allowing sharing from other than the Public folder on the iPad is an oversight or not – regardless, this is the first security concern – the sharing of files from outside of the Public folder on the iPad when other clients won’t let you).

So when I look at my iPad I see the PrivateFiles folder:


And inside that I can see MyPrivateFile.txt, including the correct contents of that file:

Next, I’ll share the file by emailing a link of it:

The link that is sent is actually a short link – in this case http://db.tt/GdBSei, which redirects to http://dl.dropbox.com/0/view/1xldjhg9mbrt95s/PrivateFiles/MyPrivateFile.txt

This demonstrates the next data leakage problem – i.e. that I can see the path ‘PrivateFiles’ – I didn’t choose to share this, I only chose to share the file – this path may not be something you wish to reveal.'

The major problem happens for me after I create new file in the same directory, in this case ‘AnotherFile.txt’…


Then delete the original file…

And now rename the second file to have the same name as the original.

Note that copying a replacement file into the directory will also work, all that matters is there be a file there with the same name as the original. Now when I open the file using the link I was emailed before I get:

I get the replacement file!! Is that what anyone expects to happen? I guess I did share a link to the file, not a copy of the file, but it still doesn’t feel right – it’s not the original file!!

What makes this problem worse is that Dropbox won’t allow me to revoke shared links. That means that I’ve now published a permanent copy of whatever file ends up sitting in that folder with that name. What if it is something like resume.doc where I don’t want people to see me editing the file? Or what if it is temp.zip? Whatever it is – it is now permanently out there, permanently shared for anyone to access – no dropbox account required to access it!

Anyone want to try running through filename combinations for that db.tt domain? You don’t need to have had it shared with you as no authentication is required, you just need to hit the right URL!


5 comments:

Mr. Shiney said...

The inability to revoke public links is a big problem. I'd love to see DB comment on it. Did you report this as a problem to DB support?

rani said...

I have been checking out 'cloud storage'and large file transfer options recently, and I was interested in dropbox before you pointed this out. Although it would be a nuisance, I wonder if the way to deal with this is to create a new folder each time you want to send a file, transfer that file to the new folder,send from there, then delete the folder.
I have also been checking out ZumoDrive. I wonder if they are any better? Is any cloud storage any better with regard to the issue you pointed out?

Adam said...

I've not tried ZumoDrive, but I'd be interested to know what you find out.

Blob said...

If you want to give SpiderOak a try (better security and more free space than dropbox) use this referral code:


https://spideroak.com/download/referral/317a29ed47a76995ce1dc5c5441b214a


It will give both of us an extra gigabyte of space for free.

nxb3942 said...

http://thruinc.com has a solution for dropbox and large file transfers that is built for enterprises. You might want to take a look at them.

Recent Geocaching Logs

Stuff I"ve read lately