Those files you’re storing on cloud services like Dropbox or Box may not be as secure as you think.

Both services, like other cloud-storage providers, allow users to share links to their stored documents. But sending those links out, even to trusted individuals, can also inadvertently give third parties access to your files as well, according to findings publicized by the file-sharing company Intralinks—which, by the way, is a competitor to both Box and Dropbox.

Dropbox says it’s working to fix the problem by disabling any previously shared links that might be vulnerable to leakage. Box released an email statement saying that it has found no evidence that anyone has abused such “open links” and touting the various privacy settings it offers its users to “help manage access to their content.”

Intralinks chief security officer John Landy wrote that his company inadvertently stumbled upon the vulnerability in the course of running a Google Adwords campaign that mentioned its competitors. That campaign turned up shared-file URLs that led straight to sensitive files that ordinary users had stored on Box and Dropbox—including bank records, mortgage applications and tax returns. Security blogger Graham Cluley, who also blogs for Intralink, provides some examples.

How That Leakage Happens

How, exactly, that happened involves some conjecture. Landy wrote that some Dropbox and Box users apparently created shared links to their files, which they or their recipients then mistakenly entered into a browser search box instead of the URL bar. Doing so and then clicking on an ad—which may seem a fairly unlikely occurrence, at least until you multiply it by the number of people sharing files across the Internet—would then send the file’s URL to the ad network.

One Intralinks executive quoted by Cluley estimated that in one of the company’s Adwords campaign, five percent of all hits (presumably meaning ad clicks) yielded URLs to private files, half of which required no password to access. That “small” campaign turned up more than 300 documents.

There’s also a second way links to private files could leak out to the world. If a shared Dropbox or Box document itself contains links to other sites, clicking on one will pass along the document’s URL to the next website as part of what’s known as a referer header, where administrators of the second site could see it.

It’s not clear if similar vulnerabilities exist for other cloud-storage services such as Google Drive or Microsoft OneDrive.

No Password Required

The problem for Box and Dropbox is that they don’t make their shared links more secure, Landy wrote. Recipients of shared links should have to log into the service to authenticate themselves by default, he suggested.

Dropbox engineering vice president Aditya Agarwal said in a blog post that his company hasn’t detected any malicious attacks involving shared file URLs. Dropbox decided to disable any affected document links anyway. The vulnerability has been patched for any shared links going forward, so only previously shared items are affected.

Dropbox customers can recreate their shared links, and the company will restore old links as it confirms that particular documents aren’t vulnerable. Agarwal also noted that Dropbox for Business users can require password access to shared files; ordinary users of Dropbox’s free service don’t have that option.

The Dropbox post only addresses one of the two vulnerabilities outlined by Intralinks—the leak-via-referer-header method. In an update, Agarwal wrote that Dropbox is aware that file URLs could leak via search engines that pass them to ad partners, but said that issue is “well known” and that the company “doesn’t consider it a vulnerability.”

Like Dropbox for Business customers, users of Box can also require passwords for file access, although in neither case is that security feature turned on by default. “Box also displays a message to help users understand the permissions for their content,” a Box spokesperson said via email.

Image of Dropbox CEO Drew Houston by Adriana Lee for ReadWrite