Dropbox Paper exposed the names and emails of everyone who viewed a public doc
September 2019
Anyone viewing a publicly shared Dropbox Paper document could see the full names and email addresses of every signed-in Dropbox user who had ever opened it — turning a collaboration feature into a personal-data harvesting tool.
What happened
Dropbox Paper, the company's collaborative document product, displayed viewer information to support real-time collaboration. In September 2019, security engineer Koen Rouwhorst publicized that when a Paper document was shared publicly, any logged-in viewer could see the full names and email addresses of all other Dropbox users who had accessed it — and that this information persisted.
Reporting by The Register ('Dropbox Paper: Handy for collaborating... oh and harvesting email addresses, too') and others noted the design was reasonable for a known team but dangerous for public links: because Paper docs were shared via long 'magic' URLs that people routinely posted on social media, an attacker could crawl for public Paper URLs and harvest the personal details of large numbers of Dropbox users who had merely clicked a link. A warning that a viewer's identity would be shown was presented only in faint type, and a signed-in user could not hide their identity from the document owner.
Impact
The flaw illustrated how 'viewer info' and read-receipt-style features can surface private behavior — who looked at what, and when — and leak it to strangers. For users it meant that simply opening a shared Paper link while logged in could expose their real name and email to anyone else with the link, a vector useful to spammers, doxxers, and phishers.