Dropbox employs numerous industry-standard measures to prevent our services from being used for malicious purposes. This includes working with trusted third-party vendors to help us identify viruses, malware, and phishing attempts.
One of these trusted vendors* previously helped us identify malicious URLs embedded within documents shared using Dropbox. However, we recently discovered that the URLs we submitted were made visible to our vendor’s other paid subscribers and partners.
As soon as we became aware of the situation, we immediately stopped submitting URLs to the vendor and worked with them to successfully remove the URLs from their database. To be clear: no files were ever submitted. Our investigation found 0.5% of registered Dropbox users and 10% of registered DocSend users were affected. We have no evidence that these URLs were ever exploited by malicious actors.
What happened
On February 28, 2023, based on a report submitted to our bug bounty program, we became aware that URLs originating from Dropbox and DocSend were present in a database used to check for potential malware by the vendor’s paid subscribers and partners. In response, we immediately stopped submitting URLs and began to investigate.
We soon found that, due to an implementation error on our part, URLs—and only the URLs—embedded within a document shared using Dropbox or uploaded to DocSend were visible to the vendor’s paid subscribers and partners. Neither the document itself, or any other information within it, were ever submitted.
In addition, any access controls on the embedded URLs—such as password protection, authentication measures, or other restrictions—remain intact.
Out of an abundance of caution, we worked with our vendor to successfully remove the URLs from their database.
Our tools enable collaboration—but unfortunately, malicious actors often try to use the same tools to trick Dropbox customers and the community into downloading malicious content or redirecting them to malicious sites to steal their data.
To help keep everyone safe online, we have safeguards in place when people use Dropbox to share documents that contain embedded URLs. Checking URLs for malware and phishing is a standard practice across the industry, and using this vendor to check whether URLs in shared Dropbox documents are safe was one of our techniques.
What we’re doing next
Going forward, we’ll be re-evaluating our approach to detecting malicious actors. We plan to rely more on the detection of behavioral signals consistent with malicious actors, and find creative new ways to limit malicious use of our APIs. Our goal remains the same as ever: to strike the right balance between protecting our customers and the wider online community while also staying worthy of trust.
- Dropbox users who want to know if the URLs in any of their documents were submitted to our vendor can reach out to support-shared-urls@dropbox.com.
- If a URL points to information that currently has no access controls, users should consider adding a password, disabling sharing, or restricting access through some other means.
- Any additional questions can be directed to support-shared-urls@dropbox.com and we’ll do our best to answer.
~ ~ ~
*We’re not disclosing the name of this vendor per the terms of our contract.
