Referrer considered harmful: Leaking location of obscurely shared docs

Tue, May 6, 2014

- ∞ -

http://arstechnica.com/security/2014/05/dropbox-disables-old-shared-links-after-tax-returns-end-up-on-gooogle/

Ha. From the “Shoulda seen this one coming” department: Sharing a file with another person (via Dropbox, Box, or any other hosting service) may not be as private as you think. Sure, you may have a completely random URL that nobody else will be able to predict. And, sure, you may rightfully trust the people with whom you share the link not to reveal it to anyone else. But if the file you’ve shared contains a link to a 3rd party site, watch out!

Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.

The user, or an authorized recipient of the link, clicks on a hyperlink in the document.

At that point, the referrer header discloses the original shared link to the third-party website.

Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.

This is one of those facepalm moments. Of course this happens. And probably a lot more than we think.

The article (and this related post from Graham Cluley) suggests restricting shared file / folder access to those users listed as “collaborators” for the given sharing service. However, that doesn’t really solve the problem, especially if you need to share the doc with people outside your normal circles.

Better would be a way for the sharing service to request a password from the remote user before showing the file. It wouldn’t be perfect, but it’d definitely help.