The 2014 shared-link leak: 'private' documents exposed via referer headers and search
May 2014
Researchers found that Dropbox's shared links to supposedly private documents could leak to third parties — exposed through browser referer headers and, in some cases, surfacing in Google search results — revealing tax returns, bank records, and business plans.
What happened
In May 2014 the security firm Intralinks reported that 'private' Dropbox shared links were leaking to outside parties. Routine analysis of Google AdWords and Analytics data had surfaced fully clickable URLs leading to sensitive documents — tax returns, bank records, mortgage applications, blueprints, and business plans — that their owners believed were accessible only to people they had given the link to.
The leak worked two ways. First, when a shared document contained a hyperlink to an external site, clicking that link passed the secret Dropbox URL to the third-party site in the HTTP referer header; whoever ran that site could then open the 'private' document. Second, if a user pasted a shared link into a search box instead of the address bar — a common mistake — the URL could end up indexed and appear in search results. In both cases the underlying weakness was that Dropbox's shared links functioned as 'security through obscurity': knowing the URL was enough to open the file.
Dropbox confirmed and patched the issue, disabling access to previously shared links to documents that could be affected and fixing newly created links, while saying it was unaware of any actual abuse.
Impact
The incident punctured the assumption that a Dropbox 'shared link' was meaningfully private and showed that a convenience feature could expose deeply sensitive personal and corporate documents to strangers. It forced Dropbox and the similarly affected Box to rethink shared-link security, accelerated the move toward link passwords and expirations, and became a standard cautionary example of how referer-header leakage and unguessable-URL designs fail in practice.