This week, Koen Rouwhorst, a security engineer at Framer, reported that a feature of Dropbox Paper, a document collaboration tool, leaks out, “the full name and email address of _any_ Dropbox user whoever opened that document, which seems problematic.”
If you share a Dropbox Paper document publicly, any viewer can see the full name and email address of _any_ Dropbox user who ever opened that document, which seems problematic. pic.twitter.com/HkxbE5cJ9r
— Koen Rouwhorst (@koenrh) September 24, 2019
This is considered a feature, not a bug. It was a conscious design decision.
— Koen Rouwhorst (@koenrh) September 25, 2019
Dropbox Support responded that their privacy considerations were built into how they designed their features. Also, according to the support team, displaying this information is required for enabling collaboration and security features for their users. Also, admins and users receive additional control over who can view a Paper doc.
According to The Register, “if someone gets to know the link, because in your enthusiasm you posted it on social media, or sent to your contact and they posted it, they may click the link and visit the page. On arrival, if they are logged into Dropbox, a warning displays, though in faint type, that says -when you open a doc, your name, email, avatar photo and viewer and visit information is always visible to other people in it.”
Though Dropbox differentiates between active and inactive viewers, this information will remain with Dropbox even after the user has left the page, Anyone who has logged into the document will be able to see the names and email addresses of others. However, when a user clicks the link without being logged into Dropbox, the user will be shown to other users as a guest, and won’t be able to comment or edit on the document.
Users may be logged into Dropbox by default so they might see a warning and, if they proceed, they would end up sharing their name and email address. This works while working with a team where people know each other.
As per Dropbox’s permissions page, a user can create a private document that’s not inside of a folder and they should be the only person editing it. While sharing the doc with others, the user can choose who can open the doc and who can comment or edit. In case a user creates a doc within a folder then all the members of that folder can open, search for, and edit the doc.
Users on HackerNews seem to be sceptical about this feature, a user commented on the thread, “Not only that, but Dropbox lets you pick any publicly visible document that’s been viewed by a large number of peopl and easily spam them simply by writing @doc. I may have just pissed off a lot of people with my experiment. I realized immediately afterwards how reckless that was, but Dropbox – WTF? Why is this even allowed?”
Few others are complaining about not being notified about the warning, “I just created a Paper document on my Dropbox account and then viewed it on another account. As best I can tell, Dropbox saying there is a notification is a lie. I did not get a visible notification when creating it although there may have been one buried under some links or button. Paper documents are publicly editable by default if you have the url.”
Other interesting news in data