{"id":10731,"date":"2014-05-07T14:54:05","date_gmt":"2014-05-07T14:54:05","guid":{"rendered":"http:\/\/cloudnewsdaily.com\/?p=14979"},"modified":"2014-05-07T14:54:05","modified_gmt":"2014-05-07T14:54:05","slug":"how-an-adwords-campaign-accidentally-exposed-dropbox-and-box-users-confidential-files","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/how-an-adwords-campaign-accidentally-exposed-dropbox-and-box-users-confidential-files\/","title":{"rendered":"How an Adwords Campaign Accidentally Exposed Dropbox and Box User\u2019s Confidential Files"},"content":{"rendered":"<\/p>\n<p>We previously reported on a <a href=\"http:\/\/cloudnewsdaily.com\/2014\/05\/dropbox-forced-to-kill-shared-links-due-to-security-snafu\/\">Dropbox Security Snafu <\/a>(and their correction for it). Now we&#8217;re learning more about how it came about, and how it was discovered.<\/p>\n<p>There are several ways users can inadvertently leak confidential files, but the one that is the real head-scratcher is a combination of a user entering the URL of a Dropbox or Box file-sharing link in their browser&#8217;s &#8220;search box&#8221; rather than the &#8220;URL box&#8221;, combined with Google AdWords campaigns by competitors who want their ads to appear with people &#8220;search&#8221; for Dropbox or Box (pretty standard stuff).<\/p>\n<p>The sites running such a campaign then &#8212; completely innocently &#8212; see what users are searching for, and what they are &#8220;searching for&#8221; turns out to be fully-clickable URLs to files that often contain sensitive personal or company data.<\/p>\n<p>If you think that&#8217;s too rare a scenario to worry about, think again:<\/p>\n<p style=\"padding-left: 30px;\"><em>In one short and entirely innocently designed ad campaign alone, we found that about 5 per cent of hits represented full links to shared files, half of which required no password to download. This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was uncovered.<\/em><\/p>\n<p>That&#8217;s from Richard Anstey of Intralink, the people who stumbled on the issue.<\/p>\n<p>Look at <a href=\"http:\/\/grahamcluley.com\/2014\/05\/dropbox-box-leak\/\">this<\/a> to see (redacted) images of one person&#8217;s tax return, and another&#8217;s mortgage application. Identity theft, anyone?<\/p>\n<p>Read more about <a href=\"http:\/\/collaboristablog.com\/2014\/05\/sensitive-information-risk-file-sync-share-security-issue\/\">how Intralink discovered all this,<\/a> along with some good advice on protecting yourself.<\/p>\n<p><strong>TL;DR: sensitive file? Use a sharing application that offers a password or PIN option.<\/strong><\/p>\n<div class=\"zemanta-pixie\" style=\"margin-top: 10px; height: 15px;\"><img decoding=\"async\" class=\"zemanta-pixie-img\" style=\"border: none; float: right;\" alt=\"\" src=\"http:\/\/img.zemanta.com\/pixy.gif?x-id=bd515c48-c781-43bd-8298-41a25caf2142\" \/><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/CloudNewsDaily\/~4\/K4Gb2bjGxFw\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We previously reported on a Dropbox Security Snafu (and their correction for it). Now we&rsquo;re learning more about how it came about, and how it was discovered. There are several ways users can inadvertently leak confidential files, but the one that is the real head-scratcher is a combination of a user entering the URL of [&#8230;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[241,744,186,1749,939,344,1864,1865],"tags":[118],"class_list":["post-10731","post","type-post","status-publish","format-standard","hentry","category-advertising","category-box","category-dropbox","category-file-sharing","category-filesharing","category-google","category-google-adword","category-intralink","tag-security"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/10731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=10731"}],"version-history":[{"count":0,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/10731\/revisions"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=10731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=10731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=10731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}