Child Item

Able to download non shared files using API

I need to build a simple tool for downloading shared files that can run as a cron job, so I'm learning the API and Java SDK. In my tinkering, I've encountered some behavior that I don't understand. I created an account using my work email, then created an app with that account and genreated a token. Then, in a different browser, I created another account using my personal email and put a couple test files there. Using the Java SDK and the access token I generated from my work account, I was able to download files from my personal account that were not shared. There was nothing in my code that would identify me as the owner of that account, so I don't see how that should be possible. Is this a bug? Was it able to identify me by my IP? Is the link generated by "copy link" usable by anyone without authentication? Just trying to get my head around this.

Find more posts tagged with

API

Abuse

Comments

Здравко

@TC888 wrote:
... Is this a bug? ...

Hi @TC888,

If you can access non shared file in such a way that for sure would be a bug. Is the file non shared really? 🤔 Taking in account following:

@TC888 wrote:
... Is the link generated by "copy link" usable by anyone without authentication? ...

Most probably you are talking here for a shared link. If so, Yes - that's the idea of shared link - providing access to particular resource (file/folder) without account authentication. 😉 Clarify to yourself what actually you are doing! Shared link associated resource can be downloaded with App Authentication, without account authentication.

Hope this helps.

Greg-DB

@TC888 It seems like Здравко has figured this out. It sounds like the link you are referring to is a "shared link", which can be accessed by other accounts by default. This is a sharing feature that allows one user to share files or folders with other users just via that link.

Here are some guides that may be helpful:

https://www.dropbox.com/developers/reference/getting-started
https://developers.dropbox.com/dbx-file-access-guide
https://developers.dropbox.com/dbx-sharing-guide

TC888

Ok, that makes sense. Thanks for the help.