

Data found in Dropbox's public folders (bottom in english) - edu
http://forwardfeed.pl/index.php/2010/02/01/dropbox-public-folder/

======
nkurz
Help me to understand: how is this different than publishing scans of
documents found in a public dumpster? If you don't want your credit card bills
published on the internet, shred all your mail before throwing it away. If you
don't want me to republish the contents of your semi-private URL's, encrypt
everything.

Yes, in theory the public could have accessed this information on their own,
but why would it be polite or desirable to republish it? At a first glance,
this looks like an immature stunt of the sort I'd hope would be scorned. I'm
not arguing that it's illegal -- just rude.

Are people voting this up to encourage more such stunts? To call attention to
the risks? Why?

~~~
edu
Hi, I submitted the post as an attention call. Actually, one of the published
CVs was mine and the author of the post contacted me about the issue.

From my point of view any sensitive personal data (CVs) has been erased from
the post. My hope is that nobody commits the same error I did (put my cv in
the public folder with a obvious name, and then forget it was there).

I hope this makes enough noise so the people from Dropbox change the public
URLs to use randomized names. Meanwhile I'll use unique, random names if I
want to share a file with personal data and keep it published the smallest
amount of time possible.

------
bartman
He notified my by mail that he published my CV. As you can imagine, I was not
very happy - and he removed it onto my request.

Even though I think this is a nice idea, publishing the data and even
providing a .zip containing all files seems reckless to me.

~~~
eli
It's also copyright infringement. If the server is in the US, anyone who
created one of those documents could send a DMCA takedown request.

------
ja27
He didn't look for "Top Secret.txt"? Maybe that's the safest place to keep
stuff on Dropbox.

------
chaosmachine
Yes, it's probably not smart to put anything you want to keep private on
Dropbox, unless you encrypt it first.

~~~
jackowayed
Well, this was just scanning the public/ folders, the files in which are
accessible to anyone that has (or, in this case, can guess) the link.

Now, if it's something you absolutely must keep private, you shouldn't even
store it in the private parts of your dropbox folder, but for things where
it's not a huge deal if it ends up public, Dropbox is reasonably safe assuming
you're not stupid about it (strong password, etc).

~~~
chaosmachine
As far as I can tell, private folders are also subject to this URL leaking
problem, but in a somewhat limited way.

If someone can grab the URL to your "recent changes" RSS feed (events.xml),
they can watch every file change you make, and view any image you upload,
without being logged in to your account.

If anyone from Dropbox wants to correct me on this, or wants more details, my
contact info is in my profile.

~~~
Groxx
Thumbnails, but yes. Just tested it. Wasn't aware of that, but doesn't matter
too much for me. I don't use it for images, am not ashamed of my images, and
you only see _what file_ was changed, not the changes made. An unlikely
security problem, but probably a bad idea anyway.

With a little complaining, I'd bet they'd put up an opt-out option, take out
image thumbnails, and hopefully a layer of security over the feed.

~~~
chaosmachine
You can get full sized images if you play with the URL (change /i/s/ to
/i/o/).

------
there
i suppose a lot of sites don't think too much about it, but putting a
user/account id in a url gives away quite a bit of information. putting aside
the recommendations for not putting an internal id in a url just because it
may change and break existing links, there are some privacy concerns as well.

in a cms-type application, it may let a recently-subscribed customer (or
competitor) know how many other customers are stored in the system, even if
they can't view the other records. it may also be used to determine a signup
date if that is at all useful.

in file-hosting type scenarios like dropbox, it allows for brute force
scanning like this. instead of using /u/1, /u/2, use the user's username, or a
randomly-generated key/guid associated that maps to the user's account.

