A file sharing dilemma: Are secret links really secret?

There has been some discussion recently on possible security issues when sharing documents via secret, or rather difficult-to-guess, links in cloud services Dropbox and Box.

Both Dropbox and Box, but also Google Drive as far as I’m aware, allowed sharing documents with someone via a link, without the need to log in to be able to access it.File-sharing-risk-dropbox-drive

It is a flexible function that comes in handy when sharing files, but which is often the case; functionality comes as a trade-off to security. Secret links are simply not that secret.

How does this affect Projectplace users, where document sharing is one of the core functions? Not at all actually. When you share a file in Projectplace, it is subject to access controls, and the receiver has to log on before retrieving the document. This limits the sharing to those who are members of your project or team, but adds a huge security value for preventing unintentional document leaks.

Security researcher Graham Cluley provides suggestions in this this highly interesting blog post on how to restrict access to the public files if you are a frequent user of Box and Dropbox.

Leave a Reply

Your email address will not be published. Required fields are marked *