0

I am very surprised that I linked on a Dropbox URL stored in my web browser's history and, without being logged in, I could see the content of the file.

I have created a new file to test it and, just with the URL that is accessed by the web browser, anyone can see this file which theoretically has never been shared with anyone: https://www.dropbox.com/scl/fi/eprarh4pibp39mrrgsqw6/Document.docx?dl=0&new=1&rlkey=ghlowj8k67bf5vljtr6jkv42b

I know that you will say that the URL is "secret", but URLs can be seen:

  • By other users even if I have logged out from Dropbox.
  • The ISP.
  • Anyone who guesses a URL (probably this is impossible in practice).

Do you know if this is normal? Isn't it a big security concern?

Improve this question
8
  • security.stackexchange.com/q/107941
    – Kamil Maciorowski
    Commented Mar 31, 2021 at 22:36
  • Did you change the share permissions on the file? This seems more like a Web Applications Stack Exchange question due to the nature of the DropBox service itself rather needing help with the desktop application
    – Ramhound
    Commented Mar 31, 2021 at 22:37
  • No. It's just a newly created document and I pasted the URL that Firefox showed when I was creating it. I didn't ask Dropbox for a sharing URL or change the sharing permissions at all.
    – user1314836
    Commented Mar 31, 2021 at 22:42
  • @user1314836 - So what are the permissions of the file. Difficult to determine if this is something that was intended or something hat shouldn't have happen. However, either way, it's probably a question for Drobox not Super User. Do you make a habit of allowing other users to use the same Windows/Linux user profile?
    – Ramhound
    Commented Mar 31, 2021 at 22:50
  • I will redirect the question to Dropbox, of course. I couldn't find anything about this on its help or in Google and this security-concerning approach suprised me a lot. I don't have the habit of anyone using my computer, of course, but thinking that just having a URL someone can have access to confidential data is not very relieving, specially because there is no way to know if someone is accessing a file... which hasn't been shared externally. What if some years ago someone guessed the URL of a confidential company file? No way to know who is reading it.
    – user1314836
    Commented Mar 31, 2021 at 22:59

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .