Dropbox (and Box?) vulnerability in shared links

[LizKat]

In Ars Technica this afternoon:

Dropbox disables old shared links after tax returns end up on Google... vulnerability that may also affect Box sent shared documents to Google AdWords.

http://arstechnica.com/security/201...ed-links-after-tax-returns-end-up-on-gooogle/

Apparently the original shared link can be revealed in mail header info if the shared link is to a doc containing hyperlinks.

Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:

A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
At that point, the referrer header discloses the original shared link to the third-party website.
Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.