Why You Should Check Your Public Dropbox Folders
Here is a task for you. Go to Google, Bing or your preferred search engine, and enter the following search term into the search box at the top: site:http://www.dropbox.com/gallery/
What's the result? Right, 25k of unprotected Dropbox photo galleries. You can click on any of the links to see the contents of the selected gallery or folder right in your web browser. (Please note that we are not saying that Dropbox is not doing enough to inform users about that fact)
Even better, you can combine the default search with additional parameters, e.g. wallpapers, to find themed photos on Dropbox.
Second task. Search for site:http://www.dropbox.com/s/ or site:http://dl.dropbox.com/ and let me know what you find. Right, another batch of public folders hosted on Dropbox, again with the possibility to combine the standard search phrase with custom keywords for filtered results.
I'd assume that at least some of Dropbox's users do not know that their photos and data may be publicly accessible on the Internet. You see, the Dropbox photo folder, or more precisely its subfolders, is public by design. The Dropbox help explains:
The Photos folder automatically creates online galleries. Any image files you move or copy to your Photos folder are automatically included in an online gallery anyone can view from the Dropbox website. People can download the photos or view them as a slideshow. Because you don't have to deal with uploaders or uploading files through a website one by one, the Photos folder is the easiest way to make your images accessible online.
If you use the Dropbox photo folder for your pictures, you make them accessible for anyone, which includes search engine bots. The only option for you is to store the photos in a different folder to block this from happening. For that, you need to create a new photo folder in your Dropbox structure and use that folder from then on to store your images. The gallery feature however is not available in that new folder which means that other Dropbox users that you share the url with will not be able to see the photos in a gallery in their web browser.
Two folders are public by default. The photo folder and the Public folder. If you copy files into either one, you make them accessible for everyone.
You can share additional folders which are then however only accessible by users that you specify during creation.
Dropbox users may want to check their public folders to make sure that the data stored inside should indeed be public. You can move the data out of the public folders if that is not the case. (via Caschy)Advertisement
I think that not all people are so skilled in using applications and at same time dropbox assumes by default that people read service levels and disclaimers (is not so assured in most cases….)
While I certainly appreciate a call to awareness about the security of our files, unless I simply misread the article, it seemed misleading regarding the nature of the Photos folder. I read the article to imply that any photos inside the Photos folder would automatically be wide open to the public – this is NOT the case.
To verify this, I did a bit of hunting and found this:
“If you don’t use the links to your photo galleries, your photos are safe and sound from public viewing, nestled securely behind your login.”
( http://www.dropbox.com/help/179 )
If the user chooses to share a link to galleries inside the Photos folder, they are then public, but can later be removed. Please read the dropbox article for further explanation.
USBman, you actually could be right about this. I only read this “Any image files you move or copy to your Photos folder are automatically included in an online gallery anyone can view from the Dropbox website” http://www.dropbox.com/help/140 which may be a case of bad wording.
Then again there is this sentence: Like files in your Public folder, if you no longer wish to share a particular photo in your public gallery, all you need to do is move it out of the Photos folder.
I will contact Dropbox and ask them directly.
Wonderful – thanks for following up on that! I’m interested in what they say, just as many of your readers likely are!
…and by the way, yeah – I suspect that you’re right, and that it is just a case of bad wording. Let’s hope, anyhow!
Quite frankly, anything stored in the “cloud” should be considered capable of someone else accessing it, perhaps because of this type of situation, perhaps because of a process problem which exposes data which should not have been, or by hacking.
“Caveat emptor” has been a good motto for over 2000 years, even when the price is free.
(Please note that I’m not trying to say ANYTHING negative about DropBox – I’m a very satisfied DropBox user.)
I tried your links. site:http://www.dropbox.com/gallery/ and it doesn’t work for me for firefox or safari.. What are you trying to pull? I do have photo gallery in my Dropbox photo folder. Explain please
Have you tried to open that link directly? Or did you copy paste it into a search form?
Okay, got it but when they post their gallery online somewhere then the security is lost. Its not Dropbox fault but its good to let people know that it can be googled..
Chris no one is saying it is Dropbox’s fault.
Okay,, I got that. I think this article is very useful in that it will enlighten readers to what their public folder can do if they post somewhere in the internet. Thanks.
Article is not completely accurate.
Public links and galleries are “public” in that anyone with the exact URL can access them. However, as long as these exact URLs are not crawled by Google, they won’t appear on Google searches. Get it?
So basically, as long as you don’t post the exact URLs in public domain, they are safe and secure.
You mean, as long as no-one with access posts those links right? I’m still confused though. Have not heard back yet from Dropbox.
Heres what a Dropbox says http://forums.dropbox.com/topic.php?id=37244&replies=7#post-314659
Interesting, still does not clarify if a user has to create a link first for it to become recognizable by search engines. What we do know is that you should be safe as long as the url does not get posted on the Internet. Thanks for following up on it Chris
It clarifies it perfectly. If the link is posted on teh interwebz, Google can index it. But if you share the link via other means, Google cannot index it. So if I paste a gallery link here, Google can index it because this blog and its comments are searchable by Google.
For the sake of testing, I have myself tried to Google names of files and folders that I know I have made available via public and photo folder, but only via non-searchable means such as IM or mail, and neither turned up.
You are welcome, I wish I knew more about how search engine index stuff. But its interesting read
Chris, they basically index everything they can get their hands on, provided that they are not blocked from doing so by the website.
What an emotional rollercoaster!
I made sure to remove my salacious nose-picking photos; even if this turns out to be a false alarm, I am not going to be caught with my finger in there.
It is truly a blessing that my grandmother doesn’t know how to Google anything.
May be some of you guys will be interested, I’ve developped WikiDrop a little P2P Wiki Air application that store a wiki file AND an HTML file for DropBox public folder.
More information and screenshots here:
Doesn’t really prove anything! The wiki page is public and any links that your public HTML file reads are found posted on the internet. Boo on you to feed the hype. We need to be more responsible to post REAL information and truth.
It would be nice to create another followup blog and make it aware that no need for Dropbox users to be paranoid if they DO NOT post thier links on any website. Many are getting paranoid and pulling out of a useful service because of misinformation. Its a shame that we been reading from bloggers who thus have good intentions but need to be careful and display the full picture.
Taken from “How to use the Photos folder.rtf” that was put in my Photos folder when I installed Dropbox
“Dropbox photo galleries allow you to share photos with anyone (even non-Dropbox users). These photos will be presented in a photo gallery that is viewable online.
Step 1: Make a folder inside the Photos folder, and give it a name (this will be the name of your photo gallery)
Step 2: Put photos inside the folder you just created.
That’s it! Now you can view and share this photo gallery online by going to http://www.getdropbox.com/photos
If you’d like more help with photo galleries, head here: (http://www.getdropbox.com/help/18)
– The Dropbox Team
Note: Linking to galleries is limited to folders within your Photos folder. You also cannot link to the Photos folder itself.”
Seems pretty clear to me
Thanks Dave, but what does that information has to do with this blog? if you share that url (Public Link) with someone and it DOES NOT get on a website, only they can see the contents, and google would not and cannot index that. The issue of this blog is to let people know that it CAN be viewable if posted somewhere in the internet.
Chris, if the links are public by default, then they are in theory locatable via brute force scripts. I’m not saying that the likelihood is huge, but it is possible.
I was responding to the original blog post, not the discussion around how the public links could get into google’s indexes. Specifically:
1) The existence of the the .rtf file in the Photos folder makes it pretty easy for any user to see that their photos could be accessible to anyone because it clearlyt states that they don’t have to be a Dropbox user.
2) The blog post implies that everything in the Photos folder is shared, which isn’t the case. Only items in sub-folders can be shared.
My main point was the Dropbox have taken the trouble to include a document in every installation that pretty much lays out everything. If a naive user doesn’t realise the implications of posting a link because they don’t understand search engine operations that’s another matter.
To the question of whether links are searchable automatically, I don’t see how this can be the case. Dropbox includes a sample gallery in every installation; since most people probably don’t delete this as a matter of course lots of versions of it would appear in the the searches given in the post, which doesn’t appear to be happening.
Check this one: it is scaner developed to looking file in public Dropbox folders. It has found a lot of files of diffrent types: http://forwardfeed.pl/index.php/2010/02/01/dropbox-public-folder/ realy good stuff, as other dropbox articles on this site.
Interesting, thanks for the link.
k, got your point, but the link I gave did state similar thought, http://forums.dropbox.com/topic.php?id=37244&replies=7#post-314862
[QUOTE] Public is….well PUBLIC and we make no pretense that there is security there. It’s unlikely that someone is going to guess the name of your file and find it in your Public folder, but we clearly state that it’s possible. I’m sorry if you confused Public with Private, but I don’t think that’s a reasonable interpretation of the name.
[QUOTE] The path to your public folder is always the same, and while these files are also not indexed by Google there is no pretense of privacy. Anything in the Public folder (and we did name it Public) could conceivably be found by others.