Why You Should Check Your Public Dropbox Folders - gHacks Tech News

Why You Should Check Your Public Dropbox Folders

Here is a task for you. Go to Google, Bing or your preferred search engine, and enter the following search term into the search box at the top: site:http://www.dropbox.com/gallery/

What's the result? Right, 25k of unprotected Dropbox photo galleries. You can click on any of the links to see the contents of the selected gallery or folder right in your web browser. (Please note that we are not saying that Dropbox is not doing enough to inform users about that fact)

Even better, you can combine the default search with additional parameters, e.g. wallpapers, to find themed photos on Dropbox.

Second task. Search for site:http://www.dropbox.com/s/ or site:http://dl.dropbox.com/ and let me know what you find. Right, another batch of public folders hosted on Dropbox, again with the possibility to combine the standard search phrase with custom keywords for filtered results.

dropbox public photos

I'd assume that at least some of Dropbox's users do not know that their photos and data may be publicly accessible on the Internet. You see, the Dropbox photo folder, or more precisely its subfolders, is public by design. The Dropbox help explains:

The Photos folder automatically creates online galleries. Any image files you move or copy to your Photos folder are automatically included in an online gallery anyone can view from the Dropbox website. People can download the photos or view them as a slideshow. Because you don't have to deal with uploaders or uploading files through a website one by one, the Photos folder is the easiest way to make your images accessible online.

If you use the Dropbox photo folder for your pictures, you make them accessible for anyone, which includes search engine bots. The only option for you is to store the photos in a different folder to block this from happening. For that, you need to create a new photo folder in your Dropbox structure and use that folder from then on to store your images. The gallery feature however is not available in that new folder which means that other Dropbox users that you share the url with will not be able to see the photos in a gallery in their web browser.

Two folders are public by default. The photo folder and the Public folder. If you copy files into either one, you make them accessible for everyone.

You can share additional folders which are then however only accessible by users that you specify during creation.

Dropbox users may want to check their public folders to make sure that the data stored inside should indeed be public. You can move the data out of the public folders if that is not the case. (via Caschy)

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Hotrao said on April 27, 2011 at 5:08 pm
    Reply

    I think that not all people are so skilled in using applications and at same time dropbox assumes by default that people read service levels and disclaimers (is not so assured in most cases….)

  2. USBman said on April 27, 2011 at 9:24 pm
    Reply

    While I certainly appreciate a call to awareness about the security of our files, unless I simply misread the article, it seemed misleading regarding the nature of the Photos folder. I read the article to imply that any photos inside the Photos folder would automatically be wide open to the public – this is NOT the case.

    To verify this, I did a bit of hunting and found this:

    “If you don’t use the links to your photo galleries, your photos are safe and sound from public viewing, nestled securely behind your login.”
    ( http://www.dropbox.com/help/179 )

    If the user chooses to share a link to galleries inside the Photos folder, they are then public, but can later be removed. Please read the dropbox article for further explanation.

    1. Martin Brinkmann said on April 27, 2011 at 9:46 pm
      Reply

      USBman, you actually could be right about this. I only read this “Any image files you move or copy to your Photos folder are automatically included in an online gallery anyone can view from the Dropbox website” http://www.dropbox.com/help/140 which may be a case of bad wording.

      Then again there is this sentence: Like files in your Public folder, if you no longer wish to share a particular photo in your public gallery, all you need to do is move it out of the Photos folder.

      I will contact Dropbox and ask them directly.

      1. USBman said on April 28, 2011 at 2:29 am
        Reply

        Wonderful – thanks for following up on that! I’m interested in what they say, just as many of your readers likely are!

        …and by the way, yeah – I suspect that you’re right, and that it is just a case of bad wording. Let’s hope, anyhow!

  3. thierry lach said on April 28, 2011 at 1:24 am
    Reply

    Quite frankly, anything stored in the “cloud” should be considered capable of someone else accessing it, perhaps because of this type of situation, perhaps because of a process problem which exposes data which should not have been, or by hacking.

    “Caveat emptor” has been a good motto for over 2000 years, even when the price is free.

    (Please note that I’m not trying to say ANYTHING negative about DropBox – I’m a very satisfied DropBox user.)

  4. Chris J said on April 28, 2011 at 1:25 am
    Reply

    I tried your links. site:http://www.dropbox.com/gallery/ and it doesn’t work for me for firefox or safari.. What are you trying to pull? I do have photo gallery in my Dropbox photo folder. Explain please

    1. Martin Brinkmann said on April 28, 2011 at 7:22 am
      Reply

      Have you tried to open that link directly? Or did you copy paste it into a search form?

  5. Chris J said on April 28, 2011 at 1:27 am
    Reply

    Okay, got it but when they post their gallery online somewhere then the security is lost. Its not Dropbox fault but its good to let people know that it can be googled..

    1. Martin Brinkmann said on April 28, 2011 at 7:21 am
      Reply

      Chris no one is saying it is Dropbox’s fault.

      1. Chris J said on April 28, 2011 at 7:32 am
        Reply

        Okay,, I got that. I think this article is very useful in that it will enlighten readers to what their public folder can do if they post somewhere in the internet. Thanks.

  6. Cake said on April 28, 2011 at 6:42 am
    Reply

    Article is not completely accurate.

    Public links and galleries are “public” in that anyone with the exact URL can access them. However, as long as these exact URLs are not crawled by Google, they won’t appear on Google searches. Get it?

    So basically, as long as you don’t post the exact URLs in public domain, they are safe and secure.

    1. Martin Brinkmann said on April 28, 2011 at 7:17 am
      Reply

      You mean, as long as no-one with access posts those links right? I’m still confused though. Have not heard back yet from Dropbox.

      1. Chris J said on April 28, 2011 at 7:34 am
        Reply
      2. Martin Brinkmann said on April 28, 2011 at 7:55 am
        Reply

        Interesting, still does not clarify if a user has to create a link first for it to become recognizable by search engines. What we do know is that you should be safe as long as the url does not get posted on the Internet. Thanks for following up on it Chris

      3. André said on April 28, 2011 at 8:46 am
        Reply

        It clarifies it perfectly. If the link is posted on teh interwebz, Google can index it. But if you share the link via other means, Google cannot index it. So if I paste a gallery link here, Google can index it because this blog and its comments are searchable by Google.

        For the sake of testing, I have myself tried to Google names of files and folders that I know I have made available via public and photo folder, but only via non-searchable means such as IM or mail, and neither turned up.

  7. Chris J said on April 28, 2011 at 8:40 am
    Reply

    You are welcome, I wish I knew more about how search engine index stuff. But its interesting read

    1. Martin Brinkmann said on April 28, 2011 at 8:42 am
      Reply

      Chris, they basically index everything they can get their hands on, provided that they are not blocked from doing so by the website.

  8. Christina said on April 28, 2011 at 9:59 am
    Reply

    What an emotional rollercoaster!

    I made sure to remove my salacious nose-picking photos; even if this turns out to be a false alarm, I am not going to be caught with my finger in there.

    It is truly a blessing that my grandmother doesn’t know how to Google anything.

  9. Jean-Philippe Encausse said on April 28, 2011 at 12:59 pm
    Reply

    Hello,

    May be some of you guys will be interested, I’ve developped WikiDrop a little P2P Wiki Air application that store a wiki file AND an HTML file for DropBox public folder.

    More information and screenshots here:
    http://wikidrop.encausse.net

    1. Chris J said on April 28, 2011 at 3:43 pm
      Reply

      Doesn’t really prove anything! The wiki page is public and any links that your public HTML file reads are found posted on the internet. Boo on you to feed the hype. We need to be more responsible to post REAL information and truth.

  10. Chris J said on April 28, 2011 at 3:41 pm
    Reply

    It would be nice to create another followup blog and make it aware that no need for Dropbox users to be paranoid if they DO NOT post thier links on any website. Many are getting paranoid and pulling out of a useful service because of misinformation. Its a shame that we been reading from bloggers who thus have good intentions but need to be careful and display the full picture.

  11. Dave Nicholls said on April 28, 2011 at 6:30 pm
    Reply

    Taken from “How to use the Photos folder.rtf” that was put in my Photos folder when I installed Dropbox

    “Dropbox photo galleries allow you to share photos with anyone (even non-Dropbox users). These photos will be presented in a photo gallery that is viewable online.

    Step 1: Make a folder inside the Photos folder, and give it a name (this will be the name of your photo gallery)

    Step 2: Put photos inside the folder you just created.

    That’s it! Now you can view and share this photo gallery online by going to http://www.getdropbox.com/photos

    If you’d like more help with photo galleries, head here: (http://www.getdropbox.com/help/18)

    Happy Dropboxing!
    – The Dropbox Team

    Note: Linking to galleries is limited to folders within your Photos folder. You also cannot link to the Photos folder itself.”

    Seems pretty clear to me

    Dave

    1. Chris J said on April 28, 2011 at 7:55 pm
      Reply

      Thanks Dave, but what does that information has to do with this blog? if you share that url (Public Link) with someone and it DOES NOT get on a website, only they can see the contents, and google would not and cannot index that. The issue of this blog is to let people know that it CAN be viewable if posted somewhere in the internet.

      1. Martin Brinkmann said on April 28, 2011 at 8:14 pm
        Reply

        Chris, if the links are public by default, then they are in theory locatable via brute force scripts. I’m not saying that the likelihood is huge, but it is possible.

      2. Dave Nicholls said on April 29, 2011 at 10:35 am
        Reply

        I was responding to the original blog post, not the discussion around how the public links could get into google’s indexes. Specifically:

        1) The existence of the the .rtf file in the Photos folder makes it pretty easy for any user to see that their photos could be accessible to anyone because it clearlyt states that they don’t have to be a Dropbox user.

        2) The blog post implies that everything in the Photos folder is shared, which isn’t the case. Only items in sub-folders can be shared.

        My main point was the Dropbox have taken the trouble to include a document in every installation that pretty much lays out everything. If a naive user doesn’t realise the implications of posting a link because they don’t understand search engine operations that’s another matter.

        To the question of whether links are searchable automatically, I don’t see how this can be the case. Dropbox includes a sample gallery in every installation; since most people probably don’t delete this as a matter of course lots of versions of it would appear in the the searches given in the post, which doesn’t appear to be happening.

        Dave

  12. stefa_n said on April 28, 2011 at 8:46 pm
    Reply

    Check this one: it is scaner developed to looking file in public Dropbox folders. It has found a lot of files of diffrent types: http://forwardfeed.pl/index.php/2010/02/01/dropbox-public-folder/ realy good stuff, as other dropbox articles on this site.

    1. Martin Brinkmann said on April 28, 2011 at 9:06 pm
      Reply

      Interesting, thanks for the link.

  13. Chris J said on April 28, 2011 at 9:47 pm
    Reply

    k, got your point, but the link I gave did state similar thought, http://forums.dropbox.com/topic.php?id=37244&replies=7#post-314862

    [QUOTE] Public is….well PUBLIC and we make no pretense that there is security there. It’s unlikely that someone is going to guess the name of your file and find it in your Public folder, but we clearly state that it’s possible. I’m sorry if you confused Public with Private, but I don’t think that’s a reasonable interpretation of the name.

    [QUOTE] The path to your public folder is always the same, and while these files are also not indexed by Google there is no pretense of privacy. Anything in the Public folder (and we did name it Public) could conceivably be found by others.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.