Dropbox takes a peek at some kinds of uploaded files. That’s normal, the Web storage service says.
The disclosure comes after a test of the service found that several “.doc” files were opened after being uploaded to Dropbox.
The experiment involved uploading to Dropbox “.zip” HoneyDocs folders with embedded “.doc” files. HoneyDocs lets users set up a “sting,” or a notification that is sent by SMS or email when a file has been viewed. Where the file has been viewed from is plotted on a map.
The callback, or as HoneyDocs calls it a “buzz,” is an HTTP Get request with a unique identifiers assigned to a sting. The data on when and where the file has been opened is sent over SSL port 443, according to HoneyDocs.
WNC InfoSec wrote the first buzz came back within 10 minutes after a file was uploaded with the IP address of an Amazon EC2 instance in Seattle. Dropbox uses Amazon’s cloud infrastructure.
Of the submitted files, only “.doc” files had been opened, WNC Infosec wrote. HoneyDocs also pulled information on the type of application which accessed the document, which in this case was the open-source productivity suite LibreOffice.
Things that make you say hmmm
“So now I’m curious,” WNC InfoSec wrote. “Are the files being accessed for de-duplication purposes or possibly malware scanning? If so, then why are the other file types not being opened?”
Despite the strange behavior, the explanation is straightforward. What WNC InfoSec picked up on using HoneyDocs is automated backend processing that Dropbox does on certain kinds of files.
Dropbox allows users to see previews of some kinds of documents, included “.doc” ones, but it must build a preview of those documents, according to a Dropbox spokeswoman. To do that, the document must be opened.
According to Dropbox’s website, users can open Word, PowerPoint, PDF and text files from directly within their browser, which saves them from needing certain software programs installed on their computer.
Still, the behavior may make some people nervous. Security experts generally recommend that for stronger privacy, users should encrypt documents before transmitting those files to Web-based storage providers.
Dropbox forbids all but a small number of employees from accessing user data. Its technical support staff may in some cases have access to file metadata, or the data identifying a file rather than its content.
“We have strict policy and technical access controls that prohibit employee access except in these rare circumstances,” according to its policy.