Dropbox disables links to all shared files after security vulnerability

Dropbox has disabled all links to all shared files after the company became aware of a web vulnerability that impacts shared links to files containing hyperlinks. The issue is in referral headers which tells a website from which other website an user is referred. This feature is implemented in all browsers and used for authorisation but also by web analytics software to check from which website visits originate.


Dropbox users can share links to any file or folder in their Dropbox which are only accessible to people who have the link. Unfortunately for Dropbox users, shared links to documents can be inadvertently disclosed to unintended recipients.

For this to happen a Dropbox user has to share a link to a document (e.g. HTML or Word) containing hyperlinks to a third-party website. Once the link is clicked, the webmaster of the third-party website can view the incoming link in e.g. web analytics software. The incoming link is the link to the shared file which means it can now also be viewed by the third-party webmaster.

To solve the issue, Dropbox has now disabled access to all shared links until further notice while the company is working to restore links that aren’t susceptible to this vulnerability. As a workaround you can re-create any shared links that have been turned off. For all shared links created going forward, Dropbox has patched the vulnerability.

Dropbox for Business customers are advised to restrict shared link access to people in their Dropbox for Business team as links created with those access controls were not affected.