It's not dropbox I'm worried about, so much as the fact that a system that has the ability to make public any file at the owners direction, could be potentially exploited to make public any file without the owners direction.
Are non-public files now accessible to third parties who have the correct url? Is there code that maps encoded url's to every file in my dropbox? If so, this is a security vulnerability that is not present currently.
I don't see this happening - each file on Dropbox must have an ACL of sorts, otherwise I could access any private file simply by knowing its URL. A takedown of a public file could therefore only apply to specific users by modifying the ACL.
It's a public link... I'm not sure how you want to go about fixing this. If you share with other dropbox users it forces them to have accounts and give you access control.
What you created was a public link. Not sure what you're wanting them to do. At least you can't access other files in the PrivateFiles folder by simply modifying the end of the URL. Now that, I might actually consider a "leak".
Consent to Access Your Files
BY UTILIZING THE SITE, CONTENT, FILES AND/OR SERVICES,
YOU CONSENT TO ALLOW DROPBOX TO ACCESS YOUR COMPUTER
TO ACCESS ANY FILES THAT ARE PLACED IN THE 'MY DROPBOX',
'DROPBOX' FOLDERS, AND/OR ANY OTHER FOLDER WHICH YOU
CHOOSE TO LINK TO DROPBOX.
Is this intended for the program to access the files and send them to the server? Or does this mean the bad thing, that nothing is really private?
Well, this was just scanning the public/ folders, the files in which are accessible to anyone that has (or, in this case, can guess) the link.
Now, if it's something you absolutely must keep private, you shouldn't even store it in the private parts of your dropbox folder, but for things where it's not a huge deal if it ends up public, Dropbox is reasonably safe assuming you're not stupid about it (strong password, etc).
I think that the biggest concern is that Dropbox has access to your files. The files might be encrypted from the point of view of the physical location, but they are still accessible to Dropbox employees, feds, or anyone that manages to breach their servers. The most common solution to this is to use TrueCrypt containers for any particularly sensitive files.
This seems unsafe; if I understand what this person has done, he'd essentially be coercing Dropbox's backend services to open arbitrary links on his behalf. That's a very dangerous capability to expose to adversaries.
This would essentially eliminate any possibility of violating any terms of service as far as I can tell?
I'm not too comfortable putting any files on dropbox without some sort of encryption
fwiw, I've found that cppcryptfs is one of the better implementations of that sort though most (if not all) use the same library which seems to choke on certain files once in a while
> Eg, right now I can put an image file in my /public, get the link and embed it in an img src tag without the anyone else ever having to know it's on Dropbox.
> This way, I can't do that.
And it sucks. Embedding public/ images on university discussion group was one of my primary uses of Dropbox and I would have never ever suspected that of all the features, they would phase this one.
Personally, I don't trust the folks at Dropbox much more than I trust a random hacker. (No offense, of course. I just don't know them.) It's not even a matter of a security breach. Can you really be sure that one of their interns can't gain access?
So I would never put anything more than mildly sensitive on Dropbox unless I could encrypt it locally at each computer I use before I sent it too them. Yes, I guess it would be somewhat better than the current situation if they encrypted it on their system using a key I sent every times I wanted a file, but I'd still be trusting them to properly destroy the key, etc.
Dropbox isn't secure. They have a master key override and have many times already unlocked boxes without the user's permission. Also, they cache your credentials, anyone who gets a hold of the cache file can put it on another machine and get into the box without authenticating.
I often use the feature the same way. It's only "up for everyone in the world to see" if everyone has the URL, and nothing I ever share is so sensitive that the risk of someone bruteforcing all of the possible file/folder names in my Public folder poses a threat. (I imagine Dropbox would catch on to such attempts at the network level, anyway.)
Are non-public files now accessible to third parties who have the correct url? Is there code that maps encoded url's to every file in my dropbox? If so, this is a security vulnerability that is not present currently.
reply