Users of cloud storage services such as Drop Box and Box are inadvertently leaking tax returns, mortgage applications, bank information and personal photos online.
According to the International Business Times, the revelation has come from cloud storage company Intralinks, which has discovered that a flaw in the sharing system employed by Dropbox and Box means that links shared with specific people are easily accessible by third-parties.
Drop Box has said in a blog post that it has taken steps to address the issue and is unaware of any abuse due to the vulnerability. The post also said that users don't need to take any further action.
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We'll continue working hard to make sure your stuff is safe and keep you updated on any new developments."
It admitted that "shared links to documents can be inadvertently disclosed to unintended recipients" in the following scenario: A user shares a link to a document that contains a hyperlink to a third-party website; the user, or an authorised recipient of the link, clicks on a hyperlink in the document; at that point, the referrer header discloses the original shared link to the third-party website or someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
According to the BBC, security researcher Graham Cluley said identity thieves could use the method to "scoop up" data.
"I think these services need to be more upfront with warnings," he said.
However he added that the problem was not a security flaw as such, but instead an unexpected consequence of user behaviour.
Continues on next page>>