A significant DropBox and Box security vulnerability has been discovered by rival cloud service provider, Intralinks, which discovered that a number of Dropbox and Box ‘share’ links (which are intended for a limited audience) may be disclosed to third-parties.
And it would appear that much of the problem is down to end users themselves failing to check effectively on the security settings they use for such services, or opting for the free versions of those services when it is widely known that security capabilities are not even provided. In other words, the real story of the internet – that nothing is for nothing – is holding true in this important and potentially damaging area.
The discovery was made during analysis of the company’s Google Adwords campaigns. Intralinks found that sensitive files, such as mortgage records, have been found using these public links, although Dropbox has now disabled access and will be implementing a patch to prevent shared links from being exposed from now on.
Skyhigh Networks, a cloud visibility company which evaluates and ranks the security credentials of services like Box, Dropbox and Intralinks, believes that this vulnerability demonstrates why it’s paramount that businesses are aware of and use cloud services which have the appropriate level of security.
“This story serves as further proof, as if it were needed, that businesses need to be better aware of their risk profile when it comes to sensitive data and cloud security – as these kinds of files should never be made available to the public,” said Charlie Howe, Skyhigh Networks EMEA director. “If a business is sharing confidential information such as mortgage records, is using cloud services and cannot guarantee that it is protecting this data from unauthorised access, it really doesn’t have a grip on its IT security, or the cloud for that matter.
“It’s vital that all organisations understand which cloud services have the necessary security and privacy features for business use. For example, Box does in fact have a number of settings that would eliminate this specific vulnerability, as does Dropbox for Business – however, the free version of Dropbox does not. The fact that businesses still use free file sharing applications when secure, enterprise-ready alternatives exist really beggars belief. Indeed, in our latest European Cloud Adoption and Risk report, we discovered that Dropbox is one of the most popular cloud services in use in the UK, but Dropbox for Business is yet to register on the top ten list.
“The companies most affected by this vulnerability will be those with poor visibility into how sensitive content is shared in the cloud. Modern enterprises should consider careful and diligent cloudservice monitoring as a necessity in today’s IT security climate. Those which don’t will continue to find their data, their reputation and their business exposed.”
