Ask HN: Dropbox security bug?
But no, apparently if I send a link to a folder ("Copy link to this folder"), they can go straight in and download anything they like without having to register at all. I'm not talking about the files in the Public folder which I never use. It's a private folder.
This couldn't be more clear from the Web site dox:
"Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder. Everything in your Public folder is, by definition, accessible to anyone."
If they get hold of the link they don't have to be deliberately invited. Try it and let me know.
https://www.dropbox.com/sh/hp1cxs474rm5fpn/PadV8OneIS
I tried this link from another user on a clean browser on my Mac, and it allowed me straight in. Now, I know I have DropBox running on my user, but surely it should still prevent me from seeing these files if I hadn't registered. I haven't had the opportunity to try it on someone else's machine yet - hence this post...
If this is the case then my folder is not secure, and worse I don't have any idea who has access to it.
Maybe I'm missing something, maybe it performs "as designed", but I don't like this - and I don't think its clear for the user either.
10 comments
[ 4.2 ms ] story [ 27.8 ms ] threadhttps://www.dropbox.com/sh/hp1cxs474rm5fpn/PadV8OneIS
I always wondered about this as well. Surely if you share the URL with someone, they could reshare it and as you say you then don't know who has access.
It seems to undermine the idea of security. I'd rather have that functionality limited in someway that makes it clear that you are making the folder "public" and no longer private.
If it's a shared folder then at some point you explicitly created a link to share access to that folder. If you don't want this anymore, you can revoke access. There is a big link icon next to folders you have shared.
Given there is a distinction between the security of invited as opposed to just shared this same dialogue is not clear that there is a difference in security - that's the issue.
1) https://www.dropbox.com/help/167/en 2) https://www.dropbox.com/help/20/en
Accept that this functionality exists - but because of the way it is implemented it is not clear when you do this that you are not doing the same thing.
Reading the docs after you have found out that your security is wide open is not acceptable.
One of the reasons why I am pretty annoyed at this is that I was recommending DropBox to a business partner who asked if I knew of a service that could store and manage access to sensitive docs.
I then fell for this massive gotcha two days later. Hence I had to revise my advice - not to use Dropbox because it was too easy to make a mistake.