Oops! Dropbox announced it is killing existing shared links where documents include ordinary hyperlinks to websites. The problem is the plain old referrer in the header tells that website the URL the inbound link came from. That’s a standard way sites know where their non-direct traffic is coming from. In this scenario, however, the referrer is the URL of the shared dropbox document.
The symptom Dropbox users will experience? Complaints from recipients that the link they were given doesn’t work (if in doubt check the link yourself).
From the Dropbox post on the issue:
While we’re unaware of any abuse of this vulnerability, for your safety we’ve taken the following steps to make sure this vulnerability can’t be exploited:
- For previously shared links to such documents, we’ve disabled access entirely until further notice. We’re working to restore links that aren’t susceptible to this vulnerability over the next few days.
- In the meantime, as a workaround, you can re-create any shared links that have been turned off.
- For all shared links created going forward, we’ve patched the vulnerability
Here’s how to rebuild affected links.