Users of Dropbox and Box cloud services have been warned that generating links to share information with others can put sensitive data at risk through several basic flaws.
Dropbox has already suspended this function while it rushes to fix the issue while Box is investigating to see if its customers have been affected.
Despite the security panic this has caused US giant General Electric (GE) has since signed a huge 300,000 deal with Box to use its services across some 170 countries, with CIO of GE, Jamie Miller, claiming it would provide many benefits.
The flaws relate to links that users of the services can generate to share a document with a trusted source. The issues were uncovered by a rival of the two firms, Intralinks, during some research into a Google Adword campaign it was running.
During this work, Intralinks uncovered simple ways in which the links were easily accessible and allowed the documents that had supposedly only been shared between trusted sources, to be viewed by third parties.
The firm was able to access reams of sensitive data in this manner such as tax returns, bank records, mortgage applications, blueprints and business plans.
The flaw worked in two ways. Firstly, if the document contained a link within the text to a website, such as Intralinks, the referral data for that website would store the link of the document. This could then be clicked on, and the entire document would be visible.
Secondly, if a user put the link for the shared file in a search engine, rather than the URL bar, then the Google AdWords campaign Intralinks had running would gather this as a relevant search term, again making the document accessible.
John Landy, the chief security officer at Intralinks, wrote in a blog post that the flaw was a “disturbing privacy problem” and said web users should be wary of free storage services.
“To be clear, we gained access to files because users of file-sharing applications often aren’t taking simple precautions to safeguard their data. When used this way, all file sharing apps are potentially vulnerable,” he wrote.
“When using file-sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. In addition, many mingle personal data along with confidential company data, with no security in place."
In response to the issue, Dropbox said in a blog post that it has fixed the problem for any links now created, but that existing links shared in this manner have been disabled, which it acknowledged was not an ideal scenario.
"For all shared links created going forward, we’ve patched the vulnerability. For previously shared links to such documents, we’ve disabled access entirely until further notice," Dropbox said.
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments.
Meanwhile Box told V3 it had not seen any direct fallout from the issues raised by Intralinks, but was reassessing its services as a result.
“We haven't noticed any abuse of Box open links, including by referrer headers, but are exploring ways to limit any exposure. We recommend customers use our broad array of permissions settings to mitigate any potential issues," it said.
“Secure content sharing is core to Box, and we've invested a lot of energy in our security model around shared links."
Box added that it does warn users of the risks of sharing content via links when this option is selected, and it has tools in place to mitigate against such risks such as password-protected documents or expiration dates on documents that are shared.
"In addition, company admins can ensure organisation-wide secure sharing by setting shared link defaults to company-only or collaborator-only (people in the same shared folder),” it said.
Intralinks' Landy said firms should make sure employees are fully trained on which services are safe for corporate use and how to keep data secure.
“The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured."
The cost of data breaches was revealed by government research to be as high as £1.15m per incident, as firms face numerous threats to their data.
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.