A security engineer has complained that a feature of Dropbox Paper, a document collaboration tool, leaks email addresses by design.
Koen Rouwhhorst observed on Twitter that “If you share a Dropbox Paper document publicly, any viewer can see the full name and email address of any Dropbox user who ever opened that document, which seems problematic.”
Dropbox support responded to insist that “privacy considerations are built into how we design our features” but that “displaying this information is needed to enable collaboration and security features for our users.”
The Reg took a careful look at this feature. If you create a document in Dropbox Paper, it is shared by default, it seems, even with write permissions, but only if another person knows the URL, which is suitably long and scrambled.
A Dropbox Paper document is shared read/write by default
Now, if someone gets to know the link, because in your enthusiasm you posted it on social media, or sent to your contact and they posted it, they may click the link and visit the page. On arrival, if they are logged into Dropbox, a warning displays, though in faint type, that says “when you open a doc, your name, email, avatar photo and viewer and visit information is always visible to other people in it.”
That information persists after you leave the page, though Dropbox distinguishes between active and inactive viewers. Anyone else logged into the document can see the names and email addresses of all the others.
If, on the other hand, you click the link without being logged into Dropbox, the document displays but you are shown to other users as a guest, and cannot comment or edit on the document.
Since users may well be logged into Dropbox by default, it is likely they will see the warning and, if they proceed, share their name and email address. All of this is fine in the context of a team where people know each other, but unsuitable if you want to use Dropbox Paper like a blog or website and invite the world to view.
The onus is on users to do the sensible thing.
Dropbox CEO: I will make your worklife a calmer experienceREAD MORE
Dropbox is right about the clarity of the warning, though making the settings read-write by default via magic links seems wrong from a security perspective.
Another snag with this feature is that if any one member of the team leaks the magic link, all the names and email addresses of those who have visited the document are displayed to any other logged-in visitor.
Luckily Dropbox Paper has not taken off as far as we can tell.
This may be another good reason to log out of websites like Dropbox after every session, inconvenient though it is. And if you use Dropbox Paper, that "people invited to this doc" setting seems to us a lot safer. ®