16

Dropbox is one of the most famous cloud storage and sharing platform.

Dropproxy's website claims that there is a weakness in the Dropbox security:

Lots of people use Dropbox. Lots of people share public Dropbox links. But not everyone knows that you can be identified by your public links and not everyone knows that once someone has one of your public links, they can access all files in your public folder.

Can people escalate from accessing one file to all public files?

Treko
  • 303
  • 2
  • 6
  • 1
    Note that public folders have been deprecated and accounts created after Oct 2012 don't have one anymore by default. https://www.dropbox.com/en/help/16 – kapex May 09 '15 at 18:51
  • 17
    Isn't something in a "public" folder *supposed* to be accessible to everyone? That's the definition of "public". – David Richerby May 09 '15 at 20:36
  • @David: regardless of linguistic arguments what "public" *should* mean, accessing the other files in the public folder from a link to one of them is neither easy nor impossible. This screams security issue: if it was intended to happen then the person doing it shouldn't have to guess the filename, and if it was intended not to happen then they should have to guess something effectively impossible (a random nonce). This leaves the user bemused as to whether "public" is really public or not. – Steve Jessop May 10 '15 at 14:40
  • @SteveJessop The public folder really just behaves like a web host for static files. You can even host simple websites and media this way. If you use a real webhost, you usually don't have any automatic directory listing either (unless you enable it). And no one screams security issue because you can guess file names on a webserver. I'd say it's simply a misunderstanding/communication issue what the public folder is meant for and how it works. – kapex May 10 '15 at 17:52
  • @kapep: sure, the issue is only that it's unclear to users what's going on, so it can be solved if Dropbox can find a way to tell them. I think people do scream security issue from time to time over URL-guessing, in cases where someone has wrongly assumed that files are only accessible when linked to. If you have pages that aren't linked from the rest of your site (a dir listing or otherwise) because you don't want them found, and they get found, that's a problem, albeit one of your own making because you "should know how it all works". – Steve Jessop May 11 '15 at 01:52

1 Answers1

29

They're sort of correct. Let me explain.

In Dropbox, there are two ways to share files. Sharing a link to a file from any folder will generate a link in the following form: https://www.dropbox.com/s/randomkey/filename Anyone can access the file you posted with that link. However, each time a file is shared like that, a new random key is generated and associated with that file. Other files cannot be accessed using that key.

However, there is also the "Public" folder in Dropbox. Files shared from this folder generates links differently, in the form: https://dl.dropboxusercontent.com/u/userid/filename In this form, any file from your public folder can be accessed, because your user ID will not change. Someone would have to know the filename of what they're retrieving if they're accessing a file you did provide a link to, but it is a public folder.

Thus, they're sort of correct, but it's not really a security flaw because you're declaring the files as public anyways. No files are public unless you place them in your public folder, declaring them as so.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
goof
  • 336
  • 4
  • 5
  • Nice answer. What would you do? Would you use Dropproxy or stick with Dropbox? – Treko May 11 '15 at 06:25
  • 1
    I use Dropbox and frequently use it as a way to share files with others, and I personally see no reason to use Dropproxy. The service it provides is just an anonymizing wrapper around a public link. You can get the same amount of protection by just not using the public folder, and sharing file links from any other folder. Along with that, I would recommend you be wary of the data you're putting in Dropbox. By nature, data on "the cloud" is more vulnerable to theft than data elsewhere, so it is a risk putting sensitive data up there regardless of how secure the link scheme is. – goof May 11 '15 at 13:08
  • 1
    Can always encrypt files one puts in Dropbox. – gerrit May 19 '15 at 09:31