Help me to understand: how is this different than publishing scans of documents found in a public dumpster? If you don't want your credit card bills published on the internet, shred all your mail before throwing it away. If you don't want me to republish the contents of your semi-private URL's, encrypt everything.
Yes, in theory the public could have accessed this information on their own, but why would it be polite or desirable to republish it? At a first glance, this looks like an immature stunt of the sort I'd hope would be scorned. I'm not arguing that it's illegal -- just rude.
Are people voting this up to encourage more such stunts? To call attention to the risks? Why?
Hi, I submitted the post as an attention call. Actually, one of the published CVs was mine and the author of the post contacted me about the issue.
From my point of view any sensitive personal data (CVs) has been erased from the post. My hope is that nobody commits the same error I did (put my cv in the public folder with a obvious name, and then forget it was there).
I hope this makes enough noise so the people from Dropbox change the public URLs to use randomized names. Meanwhile I'll use unique, random names if I want to share a file with personal data and keep it published the smallest amount of time possible.
Well, this was just scanning the public/ folders, the files in which are accessible to anyone that has (or, in this case, can guess) the link.
Now, if it's something you absolutely must keep private, you shouldn't even store it in the private parts of your dropbox folder, but for things where it's not a huge deal if it ends up public, Dropbox is reasonably safe assuming you're not stupid about it (strong password, etc).
As far as I can tell, private folders are also subject to this URL leaking problem, but in a somewhat limited way.
If someone can grab the URL to your "recent changes" RSS feed (events.xml), they can watch every file change you make, and view any image you upload, without being logged in to your account.
If anyone from Dropbox wants to correct me on this, or wants more details, my contact info is in my profile.
Thumbnails, but yes. Just tested it. Wasn't aware of that, but doesn't matter too much for me. I don't use it for images, am not ashamed of my images, and you only see what file was changed, not the changes made. An unlikely security problem, but probably a bad idea anyway.
With a little complaining, I'd bet they'd put up an opt-out option, take out image thumbnails, and hopefully a layer of security over the feed.
i suppose a lot of sites don't think too much about it, but putting a user/account id in a url gives away quite a bit of information. putting aside the recommendations for not putting an internal id in a url just because it may change and break existing links, there are some privacy concerns as well.
in a cms-type application, it may let a recently-subscribed customer (or competitor) know how many other customers are stored in the system, even if they can't view the other records. it may also be used to determine a signup date if that is at all useful.
in file-hosting type scenarios like dropbox, it allows for brute force scanning like this. instead of using /u/1, /u/2, use the user's username, or a randomly-generated key/guid associated that maps to the user's account.
Yes, in theory the public could have accessed this information on their own, but why would it be polite or desirable to republish it? At a first glance, this looks like an immature stunt of the sort I'd hope would be scorned. I'm not arguing that it's illegal -- just rude.
Are people voting this up to encourage more such stunts? To call attention to the risks? Why?