cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Tell us what you want to see on the Community here!
Close

Dropbox files & folders

Get in sync with the Dropbox Community. Our members can answer all your questions on Dropbox files and folders. Join a discussion or start your own today.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why can someone download a file from my account without logging in?

Highlighted

Why can someone download a file from my account without logging in?

Explorer | Level 3

Hi, 

I'm working on a Mac OS High Sierra 10.13.6. I downloaded a file (.docx) from my web dropbox. When I get the finder info on my file (cmd-i), tab "more info" displays a web address. I copypasted it in the browser tab, and I got the file dowloaded again. Then I sent it to a colleague, and she downloaded the file from my dropbox without problems too. The system does not ask her a permission. 

Notice that, when I download an attachment from gmail, I can read the address too. But, if I copypaste this address in the browser big G does not allow me to download it.

In my opinion, this is a security problem. If someone get access to the downloaded file, one can copy this link, send it to someone else, publish it in the web etc.

EDIT: I add a screenshot:

Best regardSchermata 2020-07-28 alle 15.33.04.png

8 Replies 8
Highlighted

Re: Potential security problem

Dropboxer

Hi @fgalofaro538, thanks for posting on the Community!

 

Was this file located in a shared folder that the other user was a member of, or was there a shared link to the file available for anyone?

 

Can you try the same for a file located in the root folder, without any shared links on it?

 

Keep me posted!


Jay
Community Moderator @ Dropbox
https://dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
Still stuck? Ask me a question!
Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

Highlighted

Re: Potential security problem

Explorer | Level 3

Dear Jay, thank you for the reply. The dropbox folder where the file is located is not shared with anyone. After the download, I simply copypasted the link from the finder info of the file (see the picture above) and I sent it to my colleague via mail. I did it only to test if it would work and .. it works. The problem is that Mac OS keeps trace of the address of the download even if the latter is not displayed in the browser's address field. 

I also compared the link displayed by the finder info to the link I can get from dropbox to share the file, and it turns out that they are different.

Highlighted

Re: Potential security problem

Explorer | Level 3

By the way. Provided that Mac Os can see and save the link which allows everyone to download the file only copying it in the address bar of the browser, could something else do the same? E.g. a trojan, a man-in-the-middle-attack?

Highlighted

Re: Potential security problem

Explorer | Level 3

Sorry, I missed your request on the root folder. I uploaded a different file (.pdf) in the root folder, and I downloaded it. I got the link as usual (cmd-i) and i pasted it in the address bar of the browser, and it did the trick again.

Highlighted

Re: Potential security problem

Dropboxer

When you opened the URL in the browser, were you currently signed into your Dropbox account? If so, try logging out, or use and incognito/private browsing window, and let me know if you get the same behavior. Thanks!


Jay
Community Moderator @ Dropbox
https://dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
Still stuck? Ask me a question!
Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

Highlighted

Re: Potential security problem

Explorer | Level 3

Dear Jay,

when my colleague opened the file, she was not logged in with my account in dropbox. She has a dropbox account, but she uses the desktop app, so she was not logged in with her account to the browser. I tried with the incognito window, as you suggested, and I downloaded the file without problems.

I have more news. I have been able to reproduce the same behaviour with a different OS, this time the Chrome OS of my laptop. If I open the download windows of the browser, I can see the address from which I downloaded the file (see screenshot). Now, If I right-click on it, I can "copy link address" and paste it in the browser tab, and it will download the file. Please note that this will not work if I simply highlight the address and copy with ctrl-c, since this way the resulting address is different and I get a 404 not-found. Instead, with the right-click method, I can also paste the working address into a mail and send it to a different person who will be able to download the file without being logged in (I opened it with firefox-ubuntu).

I hope all this can be useful to you.

 

Screenshot 2020-08-05 at 14.32.50.png

 

Highlighted

Re: Potential security problem

Dropboxer

Thanks for the info, would it be okay if I reach out to your email associated with the forum profile in order to investigate this matter further?


Jay
Community Moderator @ Dropbox
https://dropbox.com/support


Heart Did this post help you? If so, please give it a Like below.
Still stuck? Ask me a question!
Tips & Tricks Find new ways to stay in flow or share your tips on how you work smarter with Dropbox.

Highlighted

Re: Potential security problem

Explorer | Level 3

Of course! I did another test and the same problem recurs with firefox on ubuntu ... 

Work Smarter with Dropbox

The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.

Sound good? Let's get started.
Who's talking

Top contributors to this post

What do Dropbox user levels mean?
Need more support?