Hacker News new | past | comments | ask | show | jobs | submit login
Dropbox exposes personal details of viewers of publicly shared Paper documents (twitter.com)
241 points by koenrh 21 days ago | hide | past | web | favorite | 108 comments

Not only that, but Dropbox lets you pick any publicly visible document that's been viewed by a large number of people and easily spam them simply by writing @doc.

I may have just pissed off a lot of people with my experiment :(

I realised immediately afterwards how reckless that was, but Dropbox - WTF? Why is this even allowed?

I was spammed by you. I first thought you're an idiot, but this is fine ;)

Pinging all viewers of a public document with a message should not be possible.

Thanks for this, I forgive you for this; hope Dropbox fixes this soon enough.

I went a while being followed by spam after a Dropbox email leak a few years ago

Sometimes there will be a little pain associated with creating more awareness to issues like this... you did the right thing.

I think the first self-described "growth hacker" worked for Dropbox way back when. Would not be surprised that the toxic "growth hacking" ethos still permeates through their growth/product teams today.

> I may have just pissed off a lot of people with my experiment :(

That's why we don't test on production

Thanks for the spam!

You did the right thing! This is seriously WTF! And I'm not entirely sure if this isn't even a breach of GDPR in the EU :scream:

Man alive, all I want is a folder that syncs. That's all. I understand that Dropbox is a business and blah blah blah ...

so what are my alternatives if I literally only want:

- a folder that syncs on my devices

- the ability to share a folder with others

- cross-platform

I'll also vouch for syncthing. It's the best file sharing application. It works cross platform, has windows, linux, android and mac clients.

I can choose to share specific folders for each device. I have one set up on a DO droplet and seamlessly syncs across all my devices.

Also, when two devices are on the same LAN, it discovers the devices automatically.

Couldn't praise it enough!


I use syncthing and it's fine but it's not bulletproof. Simple sync cases are fine, but when you start having permissions and both sources actively write data, it can lock up and end up in a weird state.

To its credit, you can always resolve the problems with some careful deleting and the occasional permissions kludge.

I have this running on my personal computer, my work laptop, and my phone. I almost never have any issues, and I can work seamlessly from any device. It's great. I will also use it to share project folders with other people, and again, no serious problems.

SyncThing is great, but the lack of a functional iOS app hurts.

Biggest problem with syncthing is lack of iOS-support.

I agree that is the most significant barrier. There are threads like [1], but like other much-wanted features like Syncthing being able to support untrusted nodes that hold the data, but don't have encryption keys a-la Resilio Sync, progress sometimes comes in spurts and starts.

[1] https://forum.syncthing.net/t/on-syncthing-ios-port-again/89...

Maybe something like a self-hosted NextCloud/OwnCloud? Although integration into the operating systems is not as good as with Dropbox, I completely switched to a self-hosted NextCloud and everything works fine without bloat.

+1 on the Nextcloud. It hosts files great and completely replaced Dropbox. It also hosts my Contacts, Calendar, and with Collabra, it is a complete Google Docs replacement too. Like someone else said further down, it also does automatic picture uploads too.

Ah, good to hear that. I still have to look into that to decouple more from Google. Do you have any good resources for more information on how to move contacts and calendar? Or did this work right from the start for you?

It was pretty out of the box friendly. You have to download all of that from google (I recall they have an export function), and it was in a file that nextcloud natively accepts.

Ah, okay. I thought I would need to move them somehow right on my phone. Will have a look into that, thanks!

I've been using Nextcloud for a few years and it's great. The catch is that it's self-hosted so you'll have to get a VPS or have a Raspberry Pi lying around that you want to use for it. Setting up the server takes about 10 minutes if you're a technical user. It's just "sudo snap install Nextcloud" then some additional LetsEncrypt settings if you want SSL. I'll admit it's not a good solution for non-technical users who aren't familiar with the command line.

However, multiple users can use the same server, so you can set it up once and share it with family members. You (the server admin) have full control over your data, so it won't be parsed and collected by third parties. It's also FOSS. There exist sync clients for all desktop and smartphone operating systems as well as a web interface for everything else.


Note that their website appears to be down at the moment. Not even "server overloaded" down, but "server not there" down.

They are on GitHub, though: https://github.com/nextcloud

I know that people will frown at this for being Chinese but I really recommend Seafile:

- https://www.seafile.com/en/home/

It's pretty much an open-source version of Dropbox. It works incredibly well, you can host it yourself and does what you expect you to do.

https://www.Sync.com (full disclosure, I work there).

Unfortunately, it is only partially cross platform (no Linux client) :-(

Sync to a compatible VM or server and then set up rsync?

That could be doable, but requires setting up an always available server in my home and installing Windows on that - not exactly the best of ergonomics

Does it support differential sync? It's the only reason why I'm still using Dropbox.

For majority of the users delta sync doesn’t bring much benefits . See here https://www.getfilecloud.com/blog/2017/03/myths-and-facts-ab...

Most of the modern files like office documents and pdfs are compressed. Delta Sync only will help in scenarios if you have bitmaps and vm disks.

The Sync apps provide end-to-end encryption, so the entire file is uploaded when it changes. Agreed differential sync can be a good thing, especially with super large files that change often.

I'm very happy with Tresorit [0]. I used to use Spideroak but switched when their warrant canary got removed.

The big plus for me is end to end encryption. I use it for documents and scans and never felt okay having those in Dropbox.

I also have their cli client running on my Synology NAS so I get a local copy as well as in the cloud.

The only downside, it is a fair bit more pricey when you need a lot of storage.

[0] https://tresorit.com/

I agree, the only "con" I can think of with Tresorit is the price. But I am trying to put my money where my mouth is and pony-up for services which respect my privacy. Quite happy with Tresorit so far.

I use Resilio Sync. It's not free, but was just a one time payment, not a subscription. Works on macOS, Linux, Windows, and they have an iOS app, too.

Sharing with others is possible, but they have to have the app installed to access the files. Resilion Sync doesn't provide any server through which you can download the files, it's all P2P.

I couldn't figure out their licensing or payment model for a team, everything led back to subscriptions and was hideously complicated. We went back to Dropbox because it just worked, no matter how much cruft its taken on.

Yeah, their enterprise offerings are subscription based (per user). I only use it privately.

I second this for personal use For business I have no idea

Keybase. I really wish they would get their act together and let me pay them for the service.

They're very clearly not aiming at being professional, with this trashing focus on random features.

What focus is missing? It works great, only missing feature as GP says is paid upgrade (first 250GB is free 'and always will be').


Introduction of random features instead of things people ask for.

Random features: - Crypto wallets that go on your public profile if you want the alert to shut up - Git. I mean, would you trust a production repo to magic crypto remote relying on a third party service that has no SLAs? - We're kind of Slack/Mattermost/Discord now but with none of the accessability or SLA offerings and you need one or the other to have an audience besides "tech nerds" who are already fragmented on 20+ platforms and clearly just needed one more

Things people want: - An app that is less entitled and forces focus over everything. Games, your presentation, everything, it doesn't care. - Dark mode? Literally the highest voted thing and it took them 2 years to start working on it. - Seamless mobile notifications. Signal can show content while maintaining strong crypto, why does Keybase just show '<person> sent you a message'. That is super annoying if you want to use Keybase for an actual team. - Random reliability issues and nobody seems to care about them with any sense of urgency.

It's okay to be run like a hobby, to move fast and break shit and pay no attention to polishing the experience. But then don't be surprised if nobody seriously uses your product.

They're really looking like they've got laser focus on file sync with their crypto wallet support and random crap coin giveaways

I've used Keybase for file sync/backup—though not extensively.

In spite of all of those other points, I've found the sync does work pretty seamlessly if you just need 1:1 sync and limited special features. That suits me well enough.

Definitely not 1:1 sync.

They're not even saving metadata which is available on all filesystems such as timestamps etc.

Oh interesting. I guess I assumed too much. To be fair, my main interest was in the content so it served me fine but for more complex workflows or needs that would be debilitating.

Seconded. I still cannot find a decent alternative, if I add

- not self-hosted, but hosted by someone big enough to have a decent security team.

I don't want to take care of the security of this myself, nor do I want to rely on some mostly unknown 3 people startup.

Hetzner sells hosted nextcloud. Not sure if the security team is absolutely top notch, but they are no 3 people startup neither.

Thank you, I searched for Nextcloud hosting before, but I did not find Hetzner

the only downside I found was that they don't (or didn't) allow custom domains (so cloud.yourdomain.com won't work)

I use Dropbox and just not paper

rsync - https://linux.die.net/man/1/rsync

I am having trouble finding the original "Show HN" for Dropbox but I recall people just calling it, more or less, "rsync with a web GUI."

Taking it one step further, you could use rclone (https://rclone.org/) which is like rsync but adds the functionality of syncing files with different cloud storage providers.

It has been on my TODO list to setup rclone with Nuage as the front end (https://github.com/mickael-kerjean/nuage) so I can have a Dropbox-like interface with org-mode text file rendering on the go.

It doesn't have "Show HN" in the title, but here it is: https://news.ycombinator.com/item?id=8863

I B2 with Rclone:


I have a Synology NAS with their "Synology Drive" software. The UI polish isn't great, but the functionality has been solid in my experience. Bonus points for keeping my data entirely local aside from the dynamic DNS piece to connect in remotely.

Paper is a separate product.

Box? Or is that even too heavy for your tastes, given that they've been adding "features" to their product too.

Syncthing. No cloud part though.

Does any viable open-source option exist that could be self-hosted?

Nextcloud. Has windows, Linux and iOS clients.

Also integrates with Files on iOS, and has camera-upload which works better than Dropbox.

Best switch I ever made.

Thanks. I just tried the demo, but it's not working in Firefox 69.0 at all. It loads, but nothing works.


Weird. Don’t have any issues like that in my setup, but I can see not having a working demo to judge a product by makes it hard to commit.

Works for me, though, for what it’s worth.

No worries. I know my office blocks a lot of traffic and has some other rules baked in so I wonder if that’s the case here.

Thanks for the recommendation though.

"For teams to work across the internet, they need to be able to see who else views the document on their team."

"Got it, agreed."

"What if they make it public, and the team is anyone on the internet?"

"Same! Name, email, maybe more?!"

No. No! If something is shared publicly, who views it should not be public knowledge. Or it should be screamed in blaring, blinking, marquee high-contrast banner across the screen to everyone before viewing the document.

I'd be OK with just part of their email or something, or only first or last name (but never both, or switched). It should only be 1 bit of information that if it looks off it would alert someone that the link has been compromised.

On the other hand I feel like Google Docs does the same thing.

I believe the way Google Docs works is that if you share something publicly, people show up as "Anonymous Animal" and that's about the limit of what you can learn about them, unless they are on the same G Suite account with you.

Although I think you might have the option to "reveal your Google Account" to other users/viewers of the shared document.

> Although I think you might have the option to "reveal your Google Account" to other users/viewers of the shared document.

Is it not the default when you are logged in? It used to be the case that when you are logged in and you visit Google Docs, you (your name at the very least) show up on the list of viewers.

Yeah that's what I meant, I've seen names on documents, didn't know the specifics of how they got there. All without logging on.

I had a chance to join a machine learning team at Dropbox a few years ago. Ultimately what made me decline was this feeling that everyone in the office was sort of a zombie on autopilot. Nobody was excited about anything, all the use cases being kicked around for machine learning were extremely contrived recommendation and automation features that seemed like they had no real product research or stakeholder support to pursue them.

It was like everyone was just resigned to raking in money on top of an extremely boring storage platform and clearly nobody was going to risk generous salary or equity coming in so they could rock the boat with an ambitious project.

All to say it doesn’t surprise me that there was some lapse of quality checking or oversight on some feature of Paper integrating with Dropbox.

The whole place reminded me of this quote by TS Eliot, “Oxford is very pretty, but I don’t like to be dead.”

Dropbox to me seems like a one-trick pony trying desperately to expand their market. It's a cloud storage system. Ideally for consumers, not enterprises (who already have Google Drive, or AWS if you're storing web objects). I know they acquired HelloSign awhile back, but who the heck would want to use both DropBox and HelloSign together?

I believe their goal is to expand to enterprise customers who would use Dropbox as a replacement for something like Google Drive. They seem to hypothesize that the way to win market share is through collaboration intelligence features and coordination features. I think it’s a bad hypothesis and really if they have a way to win market share it’s purely by being a cheaper / more basic option, then maybe start-ups or small businesses would choose it.

But this goes against the premium pricing and branding they have created for consumer storage plans, and I think hamstrings them from doing anything else really.

And at the end of the day, if Google is worried you’re underpricing them, they have way more levers to pull on to retain or win back customers, and more cushion to absorb losses.

Just seems like a bad business strategy by Dropbox all around. Probably should just focus on how to deliver consumer storage accounts with lower and lower prices instead.

Your last two sentences seem contradictory.

I just created a Paper document on my Dropbox account and then viewed it on another account. As best I can tell, Dropbox saying there is a notification is a lie.

I did not get a visible notification when creating it although there may have been one buried under some links or button. Paper documents are publicly editable by default if you have the url.

I got no notification when viewing it from a different user. I used the public link to do so and could see the identities of other viewers.

To save folks a few clicks and in case those tweets are deleted, here's the content:

> We understand the concerns, and want to assure you that privacy considerations are built into how we design our features. While Paper has a setting that allows anyone with the link to access a Paper doc, we warn users who try to access a doc owned by another team or a...[1/3]

> ...user not on their team that their information will be visible in a screen that pops up before the Paper doc loads. Displaying this information is needed to enable collaboration and security features for our users. Users and admins can control who can view a Paper doc..[2/3]

> ...in our settings. For more information see: https://help.dropbox.com/files-folders/paper/sharing-permiss... [3/3]

It's probably their CS Twitter client that's coded without proper awareness of threads (likely only letting staff reply to the original message)

The threads are not working because DropboxSupport fumbled them in their answer

You (I mean, the support account) need to make the following items a reply of the 1st item then it will work

This is completely reckless, but I'm not surprised. This is the company that pushed an update that allowed people to log on to any account with any password. Clearly they haven't learned anything about good security practices or responsible data governance.

"seems problematic" - understatement of the month

I always thought those indicators about who is viewing a publicly shared document were creepy

I use two Chrome profile, one for work and one for personal. I keep them separate by not logging into personal account in with the work profile etc.

Whenever I open Dropbox Paper with my work Chrome profile, it shows to have access to my personal Dropbox. These two are separate Dropbox accounts with separate emails associated to them. Yet, I'm able to access them since I sync a shared folder from my personal account on the same computer as the work Dropbox account (Work Dropbox account being the account thats logged into on the computer).

Seems like UX overtook security in this aspect since I didn't explicitly want to "connect" both accounts outside of shared folder.

This should be great for finding active email addresses for spamming people.

For example, there are a lot of hits for

And of course, by Guido van Rossum himself, there are quite a lot of emails here:


It definitely seems unnecessary to share the info to all users, especially full contact info.

Airtable has a somewhat worse issue, any file you upload is publicly available without login, as long as you have the attachment URL. There isn’t any way to protect file assets, even though the underlying worksheet is private and requires a login.

It's 2019 and devs still can't get this st right.

It is a feature. The devs worked to spec, it is PM who is to blame.

> It's 2019 and devs still can't get this st right.

It's 2019 and humans still make typos.

Or it’s 2019 and Apple’s pro laptop keyboards still don’t work. ;)

especially on R, S, Space, and left-shift for me!

It feels like there are more responsible ways to deal with this than showing up their support team on Twitter.

And does anyone actually use Dropbox paper?

I'd rather have a Dropbox email service and client than this silly product

I do, because they are one of the few online collaboration platforms which support LaTeX. I'm not talking about Overleaf, which is great if you want to make a full LaTeX document, I'm talking about an easier markdown editor where LaTeX is only used for math equations. I don't need the full turing-completeness of LaTeX if I'm just taking some notes during a meeting, but I do want to be able to write math formulae and have them display correctly.

This was the sole reason I checked it out, however I have grown to appreciate many of their other features. Their collaboration functionality is quite unique, and the generally smooth way you can add structured information (eg. "todos" with assigned users and due dates) is great.

That being said, it often feels "half-baked" still compared to other solutions. The Paper file organization interface feels like it is just bolted on top of Dropbox's existing interface, and sometimes their formatting is too restrictive (eg. you can't change text alignment). The issue raised in this post is yet another example of the product being half-baked.

You should look into Notion.so. They don’t have inline TeX (yet?) but they do have block TeX.

Thanks, Notion looks pretty great. Beats Dropbox Paper on almost all fronts except the inline TeX.

It looks like it is on their radar: https://twitter.com/NotionHQ/status/1093334827770699778

In the meantime, there is this workaround: https://www.notion.so/Notion-Inline-Math-9c5047a4e7c84643848...

It's not a great workaround, however, since (by the way it works) it looks like it would only work locally on the user's browser assuming they install the violentmonkey browser extension, it is rather verbose (the code block + `math:` prefix), and having to press F2 to rerender all inline math.

I guess Dropbox violates user’s privacy in a multi-threaded fashion. ;-)

This looks like a GDPR breach. Does anyone know where i can find the details for the dropbox GDPR representative?

Why is it a GDPR breach when a Dropbox screen clearly explains to the user clicking the link that other users will see your details if you proceed? (Just curious, it may well be an issue, I just don’t know how).

If I understand correctly this warning/explanation only appears for the user sharing the document, not for anyone else who opened it(and whose information is still embedded).

That’s not correct. Unless there’s been a temporary regression then the warning explicitly happens for the person opening the document (the person you have shared it with)

GDPR, as I understand, does not allow removing unrelated features if someone does not agree to have their privacy broken. For example, opting out of ad tracking cannot make the site be blocked for me. In this case, there is no opt out button other than not using the feature and the feature does not require this information sharing.

> opting out of ad tracking cannot make the site be blocked for me.

Does this apply to cookies? I am asking because lot of websites have "necessary" cookies and there is no way to opt out of them (other than by closing the tab), and if there is and you do, then you cannot proceed further. I really do not understand why some cookies would be necessary to view a page though, but I have seen this on A LOT of sites.

You do not need consent for necessary cookies.

Then what is the reason for websites asking me to accept? Some websites also offer me the ability to select/deselect some cookies, but cannot deselect "necessary" cookies. There are websites that do not function until I accept. Some sites explicitly state this, and they do ask me to accept/consent.

Example: https://edigital.sk

On the right, you will see a down-arrow, click on that. You can clearly see the first checkbox on the left being checked and disabled, it is the "necessary" or "essential" cookies to what I am referring. You cannot deselect. On top of that, there is no way to close the popup (?), it is by design. Of course there are ways to circumvent it, but that is besides the point.

There are many other websites like this, but I cannot remember them. :/

I am not seeing anything on your example. But necessary cookies are things without the site can not function (like logging in).

I suppose most of the time the box is there to allow you to consent to additional cookies as well.

There are also a lot of broken implementations out there.

Found another one: https://www.technorms.com

You must click on "Continue with Recommended Cookies", or you cannot use the site (you could use uBlock to block the element, but that is besides the point).

Essentially Dropbox is arguing that, due to the way they have implemented it, the feature does require this information sharing.

While it clearly could be implemented many different ways, and I agree Dropbox should do better in this case, I think this is one of the difficulties in enforcing something like GDPR. Almost anything could be made to work in an anonymous way, so where do you draw the line? When signing up for Facebook or an email account, for example, there is no reason they need my phone number. Sure, they say it is for password reset purposes, but there are other solutions for this, or I can simply agree not to be able to reset the password for that account... etc.

>Essentially Dropbox is arguing that, due to the way they have implemented it, the feature does require this information sharing.

I'm honestly curious, which part of the feature requires every user to know every other user who has viewed the page?

My point was that no, of course the feature doesn't require it, but their particular implementation of the feature does. For example, maybe they implemented per-user sharing first, which obviously would need to know who is accessing the document. Then they realized there are some use cases for sharing the document publically, but they basically just treated this (internally, i.e. according to their implementation) as a wildcard in the authentication portion. That is to say, the public sharing works exactly the same as the per-user sharing, but with a * in the "allowed users" field.

Clearly it doesn't have to and should not be this way. My point was that:

1. They are saying that their particular implementation did require it to be this way. 2. Almost every web app could be made to require less private data from the user, however if this is something that GDPR is going to enforce then there will end up being some subjective analysis (according to non-tech lawyers?) as to whether a particular implementation was in violation.

I’m not expert in the matter but I’m sure just explaining some bad behavior does not make it legal if it were illegal.

Just read the tweet. It's not just any user. It's everyone on the internet.

I mean, if they ask you... seems fine to me?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact