I was in Colorado this past week for a conference. During some downtime, I sent one of my speaking partners a couple of links via DropbBox to the updated presentation we are giving for the Louisiana State Bar. He kept telling me none of the links worked. This was because Dropbox disabled all shared links after a security vulnerability were discovered. If you had a document with a hyperlink to a website like optiable.com, that site’s webmaster would be able to see the DropBox link and the document you shared. While researching this security flaw I stumbled across an even bigger one that DropBox will not fix.
Update [5/6/14] — We’re aware of a second issue that’s been reported about shared links. This involves a user entering a shared link into a search engine and the search engine passing that link on to ad partners. This is well known and we don’t consider it a vulnerability. We urge everyone to be careful about providing shared links to third parties like search engines. https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/
And they take that link and paste it into a Browser’s Omnibox:
You have now shared that document with that search engine’s AD Providers.
We were kind of warned about this 2008 when the Omnibox first appeared, but at that time virtually no one was using DropBox to share documents. (DropBox launched in 2008)
DropBox’s Approach to Shared Links is Flawed
This is how you would create a Shared Link in DropBox.
There is no option to password protect or create a link expiration date, which means the person on the receiving end does not have to authenticate (prove via a password that they are the intended recipient) themselves to view the document.
It is going to get a little worse.
Intralinks tells me that it privately informed Dropbox that data was being leaked via the shared link vulnerability in late November 2013. That’s over five months ago.
Thanks for writing in to us.
We don’t believe that this is a vulnerability. If someone accidentally shares a private Dropbox link it can be disabled at any time from the Dropbox website, on the Links tab.
Graham Cluley, Security Expert – Dropbox told about vulnerability in November 2013, only fixed it when the media showed interest
So, with that sort of mentality, can we really trust DropBox or use it to store and sensitive information?
NetDocuments approach to Shared Links
NetDocuments is an online document management software used by Lawyers, Financial, and other Professional Service Firms.
A link expiration date of 30 days is automatically applied. Without doing anything, that link is going to expire in 30 days so it will not be available forever, unlike DropBox. Unchecking Allow Documents to be downloading will only let the user view the document in a browser. You can also add a password to protect the document in case the link falls into the wrong hands. There is also a full audit trail on a view that document.
Is this really that big a deal?
This is an actual Tax Return that Interlinks found.
And the risk isn’t theoretical. It’s happening right now – exposing tax returns, financial records, mortgage applications and business plans.
Graham Cluley, Security Expert – Dropbox users leak tax returns, mortgage applications and more
Steps to Take to Protect you and your client’s data
Okay, now that we have tried to scare you, let us talk about some practical tips to protect your data.
I going to keep my Client’s Data in DropBox, Box.net, OneDrive, etc
- Never use a Shared Link. If you DropBox Business or Box.net you can disable this feature, regular DropBox users cannot.
- Purchase encryption adds like Viivo or BoxCryptor. If you have to share documents with a client, they will need to download the encryption software as well, but this is an easy process.
I use Worldox as my Document Management Software
- Use the Citrix Share File option to Share Documents, it is built right into the software.
- If you are going to email documents, use the password protect option.
I use NetDocument as my Document Management Software
- Consider removing the Share Links on your Client Cabinet and use only Shared Workspaces. This will force any external user to have a unique username and password to view documents.
- Train your users to use the Password Option if they will use Shared Links.
Lagniappe (a little extra)
Generate a unique password in your client engagement letters. Tell your clients that you will be password protecting all confidential data and this is the password they will use to open the documents. Have a master list of clients and unique passwords so when your firm uses Shared Links, they use that password. DO NOT email the password to the client.