The disclosure comes after a test of the service found that several “.doc” files were opened after being uploaded to Dropbox.
Dropbox’s behavior was detected using HoneyDocs, a new Web-based service that creates a log showing when and where a document was opened, according to a blog post at WNC InfoSec.
The experiment involved uploading to Dropbox “.zip” HoneyDocs folders with embedded “.doc” files. HoneyDocs lets users set up a “sting,” or a notification that is sent by SMS or email when a file has been viewed. Where the file has been viewed from is plotted on a map.
The callback, or as HoneyDocs calls it a “buzz,” is an HTTP Get request with a unique identifiers assigned to a sting. The data on when and where the file has been opened is sent over SSL port 443, according to HoneyDocs.
WNC InfoSec wrote the first buzz came back within 10 minutes after a file was uploaded with the IP address of an Amazon EC2 instance in Seattle. Dropbox uses Amazon’s cloud infrastructure.
Of the submitted files, only “.doc” files had been opened, WNC Infosec wrote. HoneyDocs also pulled information on the type of application which accessed the document, which in this case was the open-source productivity suite LibreOffice.
“Unlike Facebook, for example, uploading documents to Dropbox does not give the company the right to do what it wishes with them. You own your data, not Dropbox. And the company promises not to use your data for its own purposes.”
Was it just automated software generating thumbnails for viewing?
As it turns out, Dropbox views/opens certain file types in order to convert them to a compatible format so they are easily accessible via web browser for its users. This makes sense and is common practice for many cloud storage services to provide the convenience of browser access while not needing any additional software to open these documents.
So at first, I was under the impression that only Dropbox had opened the HoneyDocs files. Now I realize the possibility that any cloud storage service (which provides thumbnail previews or allows access to certain types of documents within a browser) may also need to open these files and copy/index some of the content within. The other services could have been possibly blocking the external resources from being loaded within the documents that included the embedded links or disregarding them altogether. This turned out to be a theoretical security issue that Andrew Bortz (Security Team Lead at Dropbox) decided to address, as mentioned in this Hacker News thread.
Some additional privacy concerns are addressed here, “Three Reasons Why Dropbox Previews Are Security & Privacy Nightmares.” One suggestion that came up was to grant users the ability to disable this ‘preview’ functionality. That seems like a reasonable request, especially for users who exclusively use the desktop client and do not have much use for browser specific features on their accounts.
At one point you could set up your own HoneyDocs folders to get notified if someone is snooping.
“If it says ‘passwords’ on it, as an intruder, I’m going to open it,” said Carey, who spent more than eight years in the Navy as a cryptographer ,,,. He’s also principal developer and researcher with ThreatAgent.com, a security assessment tool.
The idea is for users to place the documents on their file systems and then not touch them. If a document is opened, the Web bug transmits data — known as a “buzz” — back to the user, such as the IP address of the intruder and their approximate location. The buzz is an HTTP Get request with a unique identifier that is assigned to a sting.
HoneyDocs is a subscription service, and users can see approximately where the intruder is on a map for free. Users can upgrade their subscription to get an email or SMS alert when fresh buzzes are transmitted.
Create fake files and upload them to free cloud space to protest the invasion of privacy. Name them things like pwds.doc or keepout.doc and put links in them to images that when viewed record IP address and trigger sending you an alert. It won’t tell you much really. You’ll end up getting fake locations from those using things like TorBrowser, but it is one of many digital tripwire techniques you can set up.