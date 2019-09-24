This "feature" is just waiting to be abused. It is trivial to crawl for public Dropbox Paper document URLs, and harvest personal details of tens (or hundreds?) of thousands Dropbox users who have opened those documents.
Something you should be aware of as a Dropbox user, because Dropbox considers this to be a feature, not a privacy bug. Also, there is no way to hide your personal details.
Why not report this to http://hackerone.com/dropbox ?
This is considered a feature, not a bug. It was a conscious design decision.
It is enshrined in their UI and copy (e.g. "...your name, email, avatar photo, and viewer and visit information is always visible to other people in [the document]").
Hmm alright. Probably still worth reporting. Security issues are not always concrete technical bugs, they can also be design and QA oversights.
I totally agree. It is just that I do not have good experiences reporting these kind of privacy-related product design issues to security teams.
Just testing this out - and apparently it does warn you (I tried accessing a Paper link found with google dorks, whilst logged in) and got this:
Yes, which shows it was a conscious product design decision. Interestingly, you don't get this warning when you open a document that was publicly shared by someone else in your organization.
I’m assuming that’s a bug. Not the lack of notification for passive viewers, but the logging and publishing their info. Dropbox has a really good bug bounty program and a really great privacy team, you should give it a go. They usually pay $$$.
You can also see & edit docs with an expired session. I reported it through their security bug bounty. They paid me $250 and never fixed it
Closed as "won't fix" or just not fixed? Are you sure you are not violating their non-disclosure terms you agreed to when submitting the report through HackerOne? I don't want you to be banned from their program!
Just went back and read the email. They decided to clarify the documentation. So I guess that’s wontfix.
Are you able to write-up the process to view Dropbox docs with expired sessions? Would be interesting to share notes.
Well, I guess @DropboxSupport might have some issues with the GDPR regulation if they don't have the explicit consent.... feature or not... @CNIL_en
Sounds like a great way to build a honeypot. Post something political or sensitive in some way, share the link virally and farm the details of those who visit. Sadly this doesn't surprise me.
Which also breaks their HIPAA compliance I would assume..... Gotta bring this up to my bosses this morning!
