cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Create, upload, and share

Find help to solve issues with creating, uploading, and sharing files and folders in Dropbox. Get support and advice from the Dropbox Community.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Security of Dropbox links

Labels:

Security of Dropbox links

tchambers
Helpful | Level 6
‎09-03-2020 04:46 PM
Go to solution

It occurred to me today when I Ducksearched to find a public Dropbox link https://www.dropbox.com/s/br7d9jigsldnvjy/ [1] that Dropbox appears to be practicing Security Through Obscurity. What prevents brute-force attacks from guessing the br7d9jigsldnvjy part of the URL to find any shared file from anyone?

 

Labels:
  • 0 Likes
  • 9 Replies
  • 4,915 Views
0 Likes
1 Accepted Solution

Accepted Solutions

tchambers
Helpful | Level 6
‎09-04-2020 09:19 AM
Go to solution

Thank you for pointing me in the right direction, Daphne. I studied more and experimented, and now I understand. I was already aware of the security features available when sharing with individuals and groups. I did not understand in particular how "Copy Dropbox link" in Windows Explorer worked. The Shared > Links tab is what concerns me. People may not understand that when they share either a file or a folder via link, they are relying on Security Through Obscurity. Bad actors can brute force guess these links. It would be nice if Dropbox reassured us that they detect malicious patterns and block requesters. At least that would slow down brute force attacks. I sleep better knowing I can simply delete the link in the web app. If I want to re-share the file or folder I can create a new link.

 

Therefore, with prudence, share-by-link is a convenient feature. Not a problem if the content is not sensitive. However, if one needs a long-term link to a file or folder that contains sensitive information, it is advisable to share with explicit users or groups instead. If for some reason that is not convenient, one should periodically make a new copy of the shared folder or file and should overwrite the existing content accessible from the shared link with a generic message such as, "The link to this content has expired. Reach out to the person who shared this link with you and ask them for a new link." Otherwise one may not sleep well at night trusting one's content will not be discovered with a brute force attack.

View solution in original post

0 Likes
9 Replies 9

Daphne
Dropbox Staff
‎09-03-2020 11:37 PM
Go to solution

Hey @tchambers, thanks for posting!

 

Additional security can be added to shared links by changing the settings and permissions of the links. You can check out more info about this here.

 

For example, a password can be added to a shared link and Business teams can restrict access to only team members.

 

I hope this info helps, let me know if you have any questions!

Daphne
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
:arrows_counterclockwise: Still stuck? Ask me a question!
:pushpin: Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

0 Likes

tchambers
Helpful | Level 6
‎09-04-2020 09:19 AM
Go to solution

Thank you for pointing me in the right direction, Daphne. I studied more and experimented, and now I understand. I was already aware of the security features available when sharing with individuals and groups. I did not understand in particular how "Copy Dropbox link" in Windows Explorer worked. The Shared > Links tab is what concerns me. People may not understand that when they share either a file or a folder via link, they are relying on Security Through Obscurity. Bad actors can brute force guess these links. It would be nice if Dropbox reassured us that they detect malicious patterns and block requesters. At least that would slow down brute force attacks. I sleep better knowing I can simply delete the link in the web app. If I want to re-share the file or folder I can create a new link.

 

Therefore, with prudence, share-by-link is a convenient feature. Not a problem if the content is not sensitive. However, if one needs a long-term link to a file or folder that contains sensitive information, it is advisable to share with explicit users or groups instead. If for some reason that is not convenient, one should periodically make a new copy of the shared folder or file and should overwrite the existing content accessible from the shared link with a generic message such as, "The link to this content has expired. Reach out to the person who shared this link with you and ask them for a new link." Otherwise one may not sleep well at night trusting one's content will not be discovered with a brute force attack.

0 Likes

Lusil
Dropbox Staff
‎09-11-2020 07:35 AM
Go to solution

Thanks for the additional information, @tchambers. We really appreciate you notifying us about this.

 

Could you also follow the process outlined on this article to report this to us officially?

 

You can also have a look through this blog post for more details on our program.

 

In the meantime, if anything else comes up, don't hesitate to get back to us. Thanks again

Lusil
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
:arrows_counterclockwise: Still stuck? Ask me a question!
:pushpin: Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

tchambers
Helpful | Level 6
‎09-16-2020 10:02 AM
Go to solution

The task of submitting a formal vulnerability report looks like a non-trivial effort, @Lusil. STO is a basic principle, and I am surprised Dropbox has not done its own vulnerability assessment that justifies its use of this public link-sharing approach. Anyway, it may be some time before I can concentrate on the task. Do you have an opinion about what level of risk my observation represents to Dropbox's security? That will help me prioritize the task.

0 Likes

Lusil
Dropbox Staff
‎09-24-2020 05:37 AM
Go to solution

I'm afraid I'm not able to determine the level of risk, until one of our security experts is able to review your report in its entirety. 

 

I understand that this may not be the ideal reply you were looking for, but let me know if you have any other questions. 

 

Thanks, @tchambers!

Lusil
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
:arrows_counterclockwise: Still stuck? Ask me a question!
:pushpin: Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

0 Likes

tchambers
Helpful | Level 6
‎09-24-2020 09:36 AM
Go to solution

Fair enough. I'll file a report.

0 Likes

dlcmc
Explorer | Level 4
‎12-09-2020 12:16 PM
Go to solution

Thaank you for this.

0 Likes

tchambers
Helpful | Level 6
‎12-09-2020 01:25 PM
Go to solution

I have not yet filed the report. It is still on my to-do list.

0 Likes

tchambers
Helpful | Level 6
‎04-14-2022 04:16 PM
Go to solution

I finally submitted my report to HackerOne: #1541730 tbcj0414a

0 Likes
Need more support?