You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Toorumbee
3 years agoHelpful | Level 6
Recent Upgrade - Serious Security Issue
SERIOUS SECURITY ISSUE I have been managing Dropbox for a number of companies for 10 years or more. The recent upgrade that was pushed out to a company I manage last Thursday 01 Sept 2022 has expos...
- 3 years ago
Explanation provided by Ben, a member of the Dropbox advanced support team.
Why was brisbane able to access the "Marsupial Dropbox" folder owned by mlmdropbox?
"On the 9th of September, the Marsupial DropBox user account moved the Marsupial Dropbox folder into the Glascott Group's shared workspace. This caused it to inherit the permissions of the teams shared workspace, causing brisbane to gain access. I can see you immediately removed access however since this occurred while the computer was performing the sync, it was enough time for the client to recognise access was given and start syncing. Since access was revoked mid-sync, a shared folder conflict was automatically created and moved to your personal folder."
What Ben has discovered and explained is that if a Team folder obtains Everyone access even for as little as a few seconds, such as will happen when a folder moved to the Team space automatically inherits permissions from that Team space, in as little as a few seconds before those permissions are removed another account that normally doesn't have access to that folder can gain access if that other account is in the process of syncing data to a computer when that brief window of access is granted
In the case in question instead of access only lasting for the few seconds access was actually granted the access lasted long enough for 53.9GB of data to be downloaded into the other account and instead of it being removed when the sync process finally after several hours was blocked from further access, the 53.9 GB of data was moved to the accounts personal folder and renamed as a (shared folder conflict) giving the account full ongoing access to all that data with the original owner of the data completely unaware this security breach had happened
Essentially this means that because any folder created in or moved to the Team space is now automatically assigned Everyone access, even if you immediately remove that access and restrict access only to selected users you can never be sure whether someone who was not intended to have access can access the contents of that folder possibly for hours and then retain access to what was incorrectly sync'd as a (shared folder conflict)
Hannah
Dropbox Staff
Thanks for your extra info, Toorumbee.
I can assure you that the agent assigned to your case is working on it and you'll have a response from them soon.
Let us know if you need anything else.
Toorumbee
3 years agoHelpful | Level 6
Explanation provided by Ben, a member of the Dropbox advanced support team.
Why was brisbane able to access the "Marsupial Dropbox" folder owned by mlmdropbox?
"On the 9th of September, the Marsupial DropBox user account moved the Marsupial Dropbox folder into the Glascott Group's shared workspace. This caused it to inherit the permissions of the teams shared workspace, causing brisbane to gain access. I can see you immediately removed access however since this occurred while the computer was performing the sync, it was enough time for the client to recognise access was given and start syncing. Since access was revoked mid-sync, a shared folder conflict was automatically created and moved to your personal folder."
What Ben has discovered and explained is that if a Team folder obtains Everyone access even for as little as a few seconds, such as will happen when a folder moved to the Team space automatically inherits permissions from that Team space, in as little as a few seconds before those permissions are removed another account that normally doesn't have access to that folder can gain access if that other account is in the process of syncing data to a computer when that brief window of access is granted
In the case in question instead of access only lasting for the few seconds access was actually granted the access lasted long enough for 53.9GB of data to be downloaded into the other account and instead of it being removed when the sync process finally after several hours was blocked from further access, the 53.9 GB of data was moved to the accounts personal folder and renamed as a (shared folder conflict) giving the account full ongoing access to all that data with the original owner of the data completely unaware this security breach had happened
Essentially this means that because any folder created in or moved to the Team space is now automatically assigned Everyone access, even if you immediately remove that access and restrict access only to selected users you can never be sure whether someone who was not intended to have access can access the contents of that folder possibly for hours and then retain access to what was incorrectly sync'd as a (shared folder conflict)
- ___ver3 years agoNew member | Level 2
To completed for this 90year old to understand need and nysestive to install on 24imac
About Security and Permissions
Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.
Need more support
If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!