Child Item

I've never shared my file, yet I received a request from someone to be added to it.

I received a request through Dropbox, to allow a complete stranger to access a file.

...a file I've never shared with anyone, and should only be visible to me.

The file is a PNG and is something I named, which is less likely that someone could guess. Its not a complex named file, but too many coincidences.

How is someone else able to see the file name, how are they allowed to even make requests for files that were never shared outside of my account? Not maybe .. but NEVER shared, so its not like someone could've sent a share link forward etc..

Given a recent FUBAR configuration problem from dropbox, where it was automatically creating sharelinks for files despite its configuration not to, and that I had to manually go in and delete several hundred links when I discovered the issue, its another concern of a security and privacy violation for a service that is paid to keep our stuff safe.

Basic message received:
=============
[email removed as per Community Guidelines] wants to access your file "xxxxxxx.png." Share this file with *** to let them view it.

Find more posts tagged with

Security

File Access

Shared Files

Disagree

Developer

New

Comments

Megan

Hey @TreborG2, sorry to hear about that!

Is it possible that the folder you mentioned is located inside another shared folder?

Are those requests that you're receiving coming from an official domain from the ones mentioned here?

Generally, this happens when someone who you've shared an item to forwarded the invite email to someone else to join or view the file, or they open the link using another Dropbox account instead of the invited one.

Any additional information is more than welcome!

Keep us posted!

TreborG2

it would be nice if the system allowed us to insert images ... (links are just yet another exposure from inside dropbox)

Basically all of my folders are locked to only me .. and inside some folders (currently 1 and only 1) are images that I share links to.

so when I go to the Dropbox web interface, into folders, only one is named "webshares" and its under there that I will host a folder (currently 10) for items I may MAY want to share some day .. only 1 such folder under webshares has any content that I do openly share and even then its only 2 files, and both of them are only linked to one of my gmail addresses.

The specific folder for this, and the file under it .. when I check locally and online at Dropbox, what I see in permissions, is none - folder settings, Link for Editing and Link for Viewing both show "There isn't a link for xxxx" and offer to create a link for that share type.

The share settings for the singular file in the folder show no-one, and the "unshare file" link when hovered over say "this file hasn't been shared yet"

As permissions go, the least lock should lock the file, not the broadest coverage to unlock. meaning ... even if an above folder is unlocked ... if a lower folder, and lower picture (or file) is locked, they should remain locked.

Say someone could see the folder names .. the folder is locked and not shared .. so why would someone be able to see the file name of a file inside a locked folder? .. the folder not having a share .. might allow the name of the folder be visible to the parent folder ... but the file in that locked folder should not be visible.

And I did think of that ... that maybe the folder this file is in isn't locked ... but confirmed .. it is.

It just seems more likely .. given the last screw up I found .. that this is yet another data leak .. minor though it may be .. it shows there's something leaking, at least it seems pretty clear to me given I've checked everything else I can.

And with that .. I should qualify I didn't reach out to the email address of the person that sent the request .. that would be something I'd rather Dropbox do, to find out how THEY saw a file reference or where, and when so that it can be tracked down.

Hannah

Hey @TreborG2, thanks for the update here.

Can you check and let us know who the sender of the email that you received is?

Not the email address of the person in the body of the email, but the actual sender.

Did the email come from an official Dropbox domain?

TreborG2

yes.. its from Dropbox.. reviewed header .. dkim/spf pass, its not a spoof.

Dropbox <no-reply@dropbox.com>

Authentication-Results: asp-relay-shared.jellyfish.systems;
dkim=pass header.d=dropbox.com header.s=fwekda4pbtfzhnrtrrriuun7z25zrizq header.b=fXScGN7w;
dkim=pass header.d=amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=n3YWZsty;
spf=pass (asp-relay-shared.jellyfish.systems: domain of 01010197501522d5-095b8287-80e2-4488-9270-444524b635a7-000000@ Email.dropbox.com designates 54.240.60.139 as permitted sender) smtp.mailfrom=01010197501522d5-095b8287-80e2-4488-9270-444524b635a7-000000@email.dropbox.com;

Hannah

I see, thanks for the update here.

Have you reached out to our support team about this yet?