Intralinks has uncovered a particularly disturbing security issue affecting the way many people use file sync and share applications that could put their most sensitive personal information, and potentially the information of their employers, at serious risk. Similar to how many people publicly expose details of themselves, their families and their activities on social media, they are also exposing their most sensitive private information on consumer sync and share applications.
During a routine analysis of Google AdWords and Google Analytics data mentioning competitors’ names (Dropbox and Box), we inadvertently discovered the fully clickable URLs necessary to access these documents that led us to live folder contents, some with sensitive data. Through these links, we gained access to confidential files including tax returns, bank records, mortgage applications, blueprints and business plans – all highly sensitive information, some perhaps sufficient for identity theft and other crimes.
The most recent U.S. Federal Trade Commission survey on consumer fraud found that more than 10% of adult Americans still fall victim to fraud each year. Another survey by the home security firm Friedland found that 78% of burglars use publicly available social media status updates to gain intelligence on their targets. A third survey by research firm Coleman Parks found that 67% of consumers between the ages 18-35 and 59% between 35 and 44 don’t care about online privacy.
And it gets worse. A recent article by the London Evening Standard states that 70% of frauds are now cyber crimes. And according to a Fiberlink survey, more than 50% of people reported uploading sensitive data to cloud services like Dropbox and iCloud.
The evidence is clear: Despite all of the cases of identity theft, burglary and fraud, consumers still readily trade security for convenience or perceived personal gain. For enterprises, this is extremely bad news – because those same consumers are also employees, and many are bringing their consumer-grade sharing and security practices into the enterprise.
We came across this issue completely by accident while running a competitive Google AdWords campaign. File sharing solutions users created share links for their files and entered them in the “search” box instead of the URL box in their web browsers, so our campaign collected the data. This was not as unusual as it may sound, and we came across numerous files over the course of a fairly short Google AdWords campaign. We believe it would be relatively easy for others to repeat our results. In the process of confirming how this happened, we subsequently found other issues with some free file sharing applications which make them prone to data loss. As a result, we recommend avoiding some free versions of popular file sharing apps for personal use, and certainly for business use when it comes to sensitive information.
To be clear, we gained access to files because users of file sharing applications often aren’t taking simple precautions to safeguard their data. When used this way, all file sharing apps are potentially vulnerable. When using file sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. In addition, many mingle personal data along with confidential company data, with no security in place. The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured.
How to Protect Your Data from the Sync and Share Issue
Consumer file sync and share applications are used by millions of people to quickly exchange information among friends, family and coworkers. Most users are under the false assumption that the links they share are impossible for others to uncover, even when they fail to set access controls properly. In addition, most are unaware that some free products don’t provide the capability to secure files adequately. Some free systems, including Dropbox, do not support privacy settings. We notified Dropbox about this issue when we first uncovered files, back in November 2013, to give them time to respond and deal with the problem. They sent a short response saying, “we do not believe this is a vulnerability.”
Here are a few simple steps you can take to better protect your data:
- Check your sync and share service to see if it supports privacy settings. When it comes to file sync and share applications, make sure that the product you use supports “privacy” settings, which ensures that only people you specifically invite will be able to access a file. The system should also be able to support authentication, with a requirement that users identify themselves and have a password.
- Set your account to ‘private’ using basic security settings. Most file sync and share applications default to a ‘public’ setting, which means that anyone who has a link to your files can readily access them. This might be convenient if you need to share a non-sensitive file with a lot of people, but we recommend you set your account to ‘private’ by default, and then specifically invite people with whom you want to share.
- If you’ve already shared sensitive files in a public folder, delete them. If you’ve already shared items that are not private, don’t change the status – delete the files and re-upload them in a new, private folder. Changing the folder status from public to private is not a foolproof way to protect files you have already shared.
- Delete old files that you don’t need anymore. Get into the habit of deleting files from your sync and share application once you no longer need them. We found numerous sensitive files that had been uploaded a long time ago, which most likely had been forgotten.
- Never mix work and pleasure – keep business files and personal files in separate accounts. We found a lot of business data in personal account folders. This is a bad idea. If you’re using a consumer-grade system, move your sensitive business data to an application that was set up for business use. Your employer may have rules about storing sensitive information on consumer-grade systems, so you could be in violation of law or contract if you put confidential information on those systems. If something goes wrong and the data leaks, the consequences can be severe: lost reputation, regulatory and legal issues and financial loss. If the data belongs to a customer or partner, data privacy concerns arise too.
Update: Dropbox posted a blog announcing a “web vulnerability that impacted shared links to files containing hyperlinks”, stating that they have taken action overnight against the hyperlink disclosure vulnerability.