
Dropbox exposes personal details of viewers of publicly shared Paper documents - koenrh
https://twitter.com/koenrh/status/1176523837866946561
======
peterkelly
Not only that, but Dropbox lets you pick any publicly visible document that's
been viewed by a large number of people and easily spam them simply by writing
@doc.

I may have just pissed off a lot of people with my experiment :(

I realised immediately afterwards how reckless that was, but Dropbox - WTF?
Why is this even allowed?

~~~
dbrgn
I was spammed by you. I first thought you're an idiot, but this is fine ;)

Pinging all viewers of a public document with a message should not be
possible.

------
plg
Man alive, all I want is a folder that syncs. That's all. I understand that
Dropbox is a business and blah blah blah ...

so what are my alternatives if I literally only want:

\- a folder that syncs on my devices

\- the ability to share a folder with others

\- cross-platform

~~~
thunderbong
I'll also vouch for syncthing. It's the best file sharing application. It
works cross platform, has windows, linux, android and mac clients.

I can choose to share specific folders for each device. I have one set up on a
DO droplet and seamlessly syncs across all my devices.

Also, when two devices are on the same LAN, it discovers the devices
automatically.

Couldn't praise it enough!

[https://syncthing.net/](https://syncthing.net/)

~~~
josteink
Biggest problem with syncthing is lack of iOS-support.

~~~
smush
I agree that is the most significant barrier. There are threads like [1], but
like other much-wanted features like Syncthing being able to support untrusted
nodes that hold the data, but don't have encryption keys a-la Resilio Sync,
progress sometimes comes in spurts and starts.

[1] [https://forum.syncthing.net/t/on-syncthing-ios-port-
again/89...](https://forum.syncthing.net/t/on-syncthing-ios-port-
again/8964/12)

------
neogodless
"For teams to work across the internet, they need to be able to see who else
views the document on their team."

"Got it, agreed."

"What if they make it public, and the team is anyone on the internet?"

"Same! Name, email, maybe more?!"

No. No! If something is shared publicly, who views it should not be public
knowledge. Or it should be screamed in blaring, blinking, marquee high-
contrast banner across the screen to everyone before viewing the document.

~~~
giancarlostoro
I'd be OK with just part of their email or something, or only first or last
name (but never both, or switched). It should only be 1 bit of information
that if it looks off it would alert someone that the link has been
compromised.

On the other hand I feel like Google Docs does the same thing.

~~~
neogodless
I believe the way Google Docs works is that if you share something publicly,
people show up as "Anonymous Animal" and that's about the limit of what you
can learn about them, unless they are on the same G Suite account with you.

Although I think you might have the option to "reveal your Google Account" to
other users/viewers of the shared document.

~~~
johnisgood
> Although I think you might have the option to "reveal your Google Account"
> to other users/viewers of the shared document.

Is it not the default when you are logged in? It used to be the case that when
you are logged in and you visit Google Docs, you (your name at the very least)
show up on the list of viewers.

------
mlthoughts2018
I had a chance to join a machine learning team at Dropbox a few years ago.
Ultimately what made me decline was this feeling that everyone in the office
was sort of a zombie on autopilot. Nobody was excited about anything, all the
use cases being kicked around for machine learning were extremely contrived
recommendation and automation features that seemed like they had no real
product research or stakeholder support to pursue them.

It was like everyone was just resigned to raking in money on top of an
extremely boring storage platform and clearly nobody was going to risk
generous salary or equity coming in so they could rock the boat with an
ambitious project.

All to say it doesn’t surprise me that there was some lapse of quality
checking or oversight on some feature of Paper integrating with Dropbox.

The whole place reminded me of this quote by TS Eliot, “Oxford is very pretty,
but I don’t like to be dead.”

~~~
AznHisoka
Dropbox to me seems like a one-trick pony trying desperately to expand their
market. It's a cloud storage system. Ideally for consumers, not enterprises
(who already have Google Drive, or AWS if you're storing web objects). I know
they acquired HelloSign awhile back, but who the heck would want to use both
DropBox and HelloSign together?

~~~
mlthoughts2018
I believe their goal is to expand to enterprise customers who would use
Dropbox as a replacement for something like Google Drive. They seem to
hypothesize that the way to win market share is through collaboration
intelligence features and coordination features. I think it’s a bad hypothesis
and really if they have a way to win market share it’s purely by being a
cheaper / more basic option, then maybe start-ups or small businesses would
choose it.

But this goes against the premium pricing and branding they have created for
consumer storage plans, and I think hamstrings them from doing anything else
really.

And at the end of the day, if Google is worried you’re underpricing them, they
have way more levers to pull on to retain or win back customers, and more
cushion to absorb losses.

Just seems like a bad business strategy by Dropbox all around. Probably should
just focus on how to deliver consumer storage accounts with lower and lower
prices instead.

~~~
dual_basis
Your last two sentences seem contradictory.

------
marcinzm
I just created a Paper document on my Dropbox account and then viewed it on
another account. As best I can tell, Dropbox saying there is a notification is
a lie.

I did not get a visible notification when creating it although there may have
been one buried under some links or button. Paper documents are publicly
editable by default if you have the url.

I got no notification when viewing it from a different user. I used the public
link to do so and could see the identities of other viewers.

------
WilliamEdward
DropBox doubled down.

[https://twitter.com/DropboxSupport/status/117695661143435264...](https://twitter.com/DropboxSupport/status/1176956611434352641)

[https://twitter.com/DropboxSupport/status/117695664129355777...](https://twitter.com/DropboxSupport/status/1176956641293557770)

[https://twitter.com/DropboxSupport/status/117695667110665830...](https://twitter.com/DropboxSupport/status/1176956671106658306)

(And they have no idea how twitter threads work)

~~~
troydavis
To save folks a few clicks and in case those tweets are deleted, here's the
content:

> We understand the concerns, and want to assure you that privacy
> considerations are built into how we design our features. While Paper has a
> setting that allows anyone with the link to access a Paper doc, we warn
> users who try to access a doc owned by another team or a...[1/3]

> ...user not on their team that their information will be visible in a screen
> that pops up before the Paper doc loads. Displaying this information is
> needed to enable collaboration and security features for our users. Users
> and admins can control who can view a Paper doc..[2/3]

> ...in our settings. For more information see:
> [https://help.dropbox.com/files-folders/paper/sharing-
> permiss...](https://help.dropbox.com/files-folders/paper/sharing-
> permissions) [3/3]

------
gizmo
This is completely reckless, but I'm not surprised. This is the company that
pushed an update that allowed people to log on to any account with any
password. Clearly they haven't learned anything about good security practices
or responsible data governance.

------
buboard
"seems problematic" \- understatement of the month

I always thought those indicators about who is viewing a publicly shared
document were creepy

------
jcsnv
I use two Chrome profile, one for work and one for personal. I keep them
separate by not logging into personal account in with the work profile etc.

Whenever I open Dropbox Paper with my work Chrome profile, it shows to have
access to my personal Dropbox. These two are separate Dropbox accounts with
separate emails associated to them. Yet, I'm able to access them since I sync
a shared folder from my personal account on the same computer as the work
Dropbox account (Work Dropbox account being the account thats logged into on
the computer).

Seems like UX overtook security in this aspect since I didn't explicitly want
to "connect" both accounts outside of shared folder.

------
siproprio
This should be great for finding active email addresses for spamming people.

For example, there are a lot of hits for

    
    
      https://www.google.com/search?hl=en&q=%22https%3A%2F%2Fpaper.dropbox.com%2Fdoc%2F%22
    

And of course, by Guido van Rossum himself, there are quite a lot of emails
here:

    
    
      view-source:https://paper.dropbox.com/doc/Yet-another-guided-tour-of-CPython--Alg6nzJCcNoY3S~SyY_T~KzuAg-XY7KgFGn88zMNivGJ4Jzv

------
sbr464
It definitely seems unnecessary to share the info to all users, especially
full contact info.

Airtable has a somewhat worse issue, any file you upload is publicly available
without login, as long as you have the attachment URL. There isn’t any way to
protect file assets, even though the underlying worksheet is private and
requires a login.

------
FanaHOVA
Not a great response either:
[https://twitter.com/DropboxSupport/status/117695661143435264...](https://twitter.com/DropboxSupport/status/1176956611434352641)

------
feketegy
It's 2019 and devs still can't get this s __t right.

~~~
iicc
> It's 2019 and devs still can't get this st right.

It's 2019 and humans still make typos.

~~~
jtbayly
Or it’s 2019 and Apple’s pro laptop keyboards still don’t work. ;)

~~~
danielhlockard
especially on R, S, Space, and left-shift for me!

------
sambe
It feels like there are more responsible ways to deal with this than showing
up their support team on Twitter.

------
jostmey
And does anyone actually use Dropbox paper?

I'd rather have a Dropbox email service and client than this silly product

~~~
dual_basis
I do, because they are one of the few online collaboration platforms which
support LaTeX. I'm not talking about Overleaf, which is great if you want to
make a full LaTeX document, I'm talking about an easier markdown editor where
LaTeX is only used for math equations. I don't need the full turing-
completeness of LaTeX if I'm just taking some notes during a meeting, but I do
want to be able to write math formulae and have them display correctly.

This was the sole reason I checked it out, however I have grown to appreciate
many of their other features. Their collaboration functionality is quite
unique, and the generally smooth way you can add structured information (eg.
"todos" with assigned users and due dates) is great.

That being said, it often feels "half-baked" still compared to other
solutions. The Paper file organization interface feels like it is just bolted
on top of Dropbox's existing interface, and sometimes their formatting is
_too_ restrictive (eg. you can't change text alignment). The issue raised in
this post is yet another example of the product being half-baked.

~~~
bobbylarrybobby
You should look into Notion.so. They don’t have inline TeX (yet?) but they do
have block TeX.

~~~
dual_basis
Thanks, Notion looks pretty great. Beats Dropbox Paper on almost all fronts
except the inline TeX.

It looks like it is on their radar:
[https://twitter.com/NotionHQ/status/1093334827770699778](https://twitter.com/NotionHQ/status/1093334827770699778)

In the meantime, there is this workaround: [https://www.notion.so/Notion-
Inline-Math-9c5047a4e7c84643848...](https://www.notion.so/Notion-Inline-
Math-9c5047a4e7c84643848b3630db8d5a5e)

It's not a great workaround, however, since (by the way it works) it looks
like it would only work locally on the user's browser assuming they install
the violentmonkey browser extension, it is rather verbose (the code block +
`math:` prefix), and having to press F2 to rerender all inline math.

------
honest_tovarich
I guess Dropbox violates user’s privacy in a multi-threaded fashion. ;-)

------
gdhbcc
This looks like a GDPR breach. Does anyone know where i can find the details
for the dropbox GDPR representative?

~~~
daniel_iversen
Why is it a GDPR breach when a Dropbox screen clearly explains to the user
clicking the link that other users will see your details if you proceed? (Just
curious, it may well be an issue, I just don’t know how).

~~~
marcinzm
GDPR, as I understand, does not allow removing unrelated features if someone
does not agree to have their privacy broken. For example, opting out of ad
tracking cannot make the site be blocked for me. In this case, there is no opt
out button other than not using the feature and the feature does not require
this information sharing.

~~~
johnisgood
> opting out of ad tracking cannot make the site be blocked for me.

Does this apply to cookies? I am asking because lot of websites have
"necessary" cookies and there is no way to opt out of them (other than by
closing the tab), and if there is and you do, then you cannot proceed further.
I really do not understand why some cookies would be necessary to view a page
though, but I have seen this on A LOT of sites.

~~~
gog
You do not need consent for necessary cookies.

~~~
johnisgood
Then what is the reason for websites asking me to accept? Some websites also
offer me the ability to select/deselect some cookies, but cannot deselect
"necessary" cookies. There are websites that do not function until I accept.
Some sites explicitly state this, and they do ask me to accept/consent.

Example: [https://edigital.sk](https://edigital.sk)

On the right, you will see a down-arrow, click on that. You can clearly see
the first checkbox on the left being checked and disabled, it is the
"necessary" or "essential" cookies to what I am referring. You cannot
deselect. On top of that, there is no way to close the popup (?), it is by
design. Of course there are ways to circumvent it, but that is besides the
point.

There are many other websites like this, but I cannot remember them. :/

~~~
gog
I am not seeing anything on your example. But necessary cookies are things
without the site can not function (like logging in).

I suppose most of the time the box is there to allow you to consent to
additional cookies as well.

There are also a lot of broken implementations out there.

~~~
johnisgood
Found another one: [https://www.technorms.com](https://www.technorms.com)

You must click on "Continue with Recommended Cookies", or you cannot use the
site (you could use uBlock to block the element, but that is besides the
point).

------
microcolonel
I mean, if they ask you... seems fine to me?

