

Ask HN: Dropbox security bug? - chris_dcosta

I had always thought that my Dropbox shared folders required an invitation, to see the files, or at least I could copy the invitation link and send it directly to someone, who would then have to register to see the folder and files.<p>But no, apparently if I send a link to a folder ("Copy link to this folder"), they can go straight in and download anything they like without having to register at all. I'm not talking about the files in the Public folder which I never use. It's a private folder.<p>This couldn't be more clear from the Web site dox:<p>"Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder. Everything in your Public folder is, by definition, accessible to anyone."<p>If they get hold of the link they don't have to be deliberately invited. Try it and let me know.<p>https://www.dropbox.com/sh/hp1cxs474rm5fpn/PadV8OneIS<p>I tried this link from <i>another user</i> on a clean browser on my Mac, and it allowed me straight in. Now, I know I have DropBox running on <i>my</i> user, but surely it should still prevent me from seeing these files if I hadn't registered. I haven't had the opportunity to try it on someone else's machine yet - hence this post...<p>If this is the case then my folder is not secure, and worse I don't have any idea who has access to it.<p>Maybe I'm missing something, maybe it performs "as designed", but I don't like this - and I don't think its clear for the user either.
======
jabbslad
It's working as designed and is not a bug. The help documentation describes
the functionality:-

1) <https://www.dropbox.com/help/167/en> 2)
<https://www.dropbox.com/help/20/en>

~~~
chris_dcosta
See my reply to @nodata.

Accept that this functionality exists - but because of the way it is
implemented it is not clear when you do this that you are not doing the same
thing.

Reading the docs after you have found out that your security is wide open is
not acceptable.

One of the reasons why I am pretty annoyed at this is that I was recommending
DropBox to a business partner who asked if I knew of a service that could
store and manage access to sensitive docs.

I then fell for this _massive gotcha_ two days later. Hence I had to revise my
advice - not to use Dropbox because it was too easy to make a mistake.

------
nodata
Are you confusing Public folders with shared folders?

If it's a shared folder then at some point you explicitly created a link to
share access to that folder. If you don't want this anymore, you can revoke
access. There is a big link icon next to folders you have shared.

~~~
chris_dcosta
Nope. The button to copy the link is in the same dialogue as the one you use
to invite specific people.

Given there is a distinction between the security of invited as opposed to
just shared this same dialogue is not clear that there is a difference in
security - that's the issue.

------
andyhart
Yep, I can see two folders in there and your 26.76MB PDF file. Also lets me
delve into the subfolders.

I always wondered about this as well. Surely if you share the URL with
someone, they could reshare it and as you say you then don't know who has
access.

~~~
chris_dcosta
Yes that's my point.

It seems to undermine the idea of security. I'd rather have that functionality
limited in someway that makes it clear that you are making the folder "public"
and no longer private.

~~~
schmrz
Public means that anyone can access it without any verification/authentication
info. Private in this context would mean that it's limited to people who
received the link.

~~~
chris_dcosta
Yep - but I challenge you to determine that from the sharing dialogue.

------
narad
I am able to view your files. Did you contact Dropbox and check with them?

------
chris_dcosta
clickable

<https://www.dropbox.com/sh/hp1cxs474rm5fpn/PadV8OneIS>

