Having just written a newsletter article about the security implications of using Cloud services such as DropBox for business, I was interested to receive an email from DropBox telling me they have disabled some links in my DropBox files for my own good. The detail is in the DropBox Blog (their optimistic slant), but in summary this is what the problem is:
If you have a web link to an external website in a document stored in you DropBox folder, and one of the members of your group clicks on it, the external website gets a record of the exact location of the source document.
This is not new – the origin of any visitor to a website has always been visible via the referrer header. Web masters use it to analyse traffic to their site, Google uses it to prove their add was the source of a click through so they can charge for ad words. So: I click on a link in a DropBox stored document, and my origin is logged in the referrer header so the destination site knows where I came from. What’s the big deal? This has always been the case? No new vulnerability here?
Think again: according to DropBox, that record in the referrer header provides direct access back to the original document. In other words, if you know the full address, you can get unauthorised access to DropBox files. Quoting DropBox own Blog:
“Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.”
This security model has holes big enough to drive a truck through: this particular method is known as Security by Obscurity. It means the only safeguard you have for your documents is the assumption that nobody knows the full address – so of course, nobody could work it out or guess!
So I have to repeat myself: Cloud services can be very handy, but you need to know what risks you are running when you put your trust, and your company data in the hands of services that are not in your control.